7.5

CVSS Score

Basic Information

CVE ID

CVE-2013-4221

GHSA ID

GHSA-92j2-5r7p-6hjw

EPSS Score

0.79883%

CWE

CWE-91

Published

5/17/2022

Updated

3/15/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-4221

CVE-2013-4221: Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2013-4221

GHSA ID

GHSA-92j2-5r7p-6hjw

EPSS Score

0.79883%

CWE

CWE-91

Published

5/17/2022

Updated

3/15/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.restlet.jse:org.restlet	maven	< 2.1.4	2.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from two key points: (1) ObjectRepresentation's use of XMLDecoder for deserialization (explicitly warned about in its Javadoc post-patch), and (2) DefaultConverter's pre-patch default enabling of the APPLICATION_JAVA_OBJECT_XML media type. The combination of these factors allowed untrusted XML input to trigger code execution. The patch introduced a system property to disable XML deserialization by default, confirming these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ****ult *on*i*ur*tion o* t** O*j**tR*pr*s*nt*tion *l*ss in R*stl*t ***or* *.*.* **s*ri*liz*s o*j**ts *rom untrust** sour**s usin* t** J*v* XML***o**r, w*i** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry J*v* *o** vi* *r**t** XML.

Reasoning

T** vuln*r**ility *ris*s *rom two k*y points: (*) O*j**tR*pr*s*nt*tion's us* o* XML***o**r *or **s*ri*liz*tion (*xpli*itly w*rn** **out in its J*v**o* post-p*t**), *n* (*) ****ult*onv*rt*r's pr*-p*t** ****ult *n**lin* o* t** *PPLI**TION_J*V*_O*J**T_X

7.5

Basic Information

Concerned about an active attack path?

CVE-2013-4221: Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI