Miggo Logo

CVE-2013-4221: Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML

7.5

CVSS Score

Basic Information

EPSS Score
0.79883%
Published
5/17/2022
Updated
3/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.restlet.jse:org.restletmaven< 2.1.42.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from two key points: (1) ObjectRepresentation's use of XMLDecoder for deserialization (explicitly warned about in its Javadoc post-patch), and (2) DefaultConverter's pre-patch default enabling of the APPLICATION_JAVA_OBJECT_XML media type. The combination of these factors allowed untrusted XML input to trigger code execution. The patch introduced a system property to disable XML deserialization by default, confirming these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ****ult *on*i*ur*tion o* t** O*j**tR*pr*s*nt*tion *l*ss in R*stl*t ***or* *.*.* **s*ri*liz*s o*j**ts *rom untrust** sour**s usin* t** J*v* XML***o**r, w*i** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry J*v* *o** vi* *r**t** XML.

Reasoning

T** vuln*r**ility *ris*s *rom two k*y points: (*) O*j**tR*pr*s*nt*tion's us* o* XML***o**r *or **s*ri*liz*tion (*xpli*itly w*rn** **out in its J*v**o* post-p*t**), *n* (*) ****ult*onv*rt*r's pr*-p*t** ****ult *n**lin* o* t** *PPLI**TION_J*V*_O*J**T_X