CVE-2013-4221: Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79883%
CWE
Published
5/17/2022
Updated
3/15/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.restlet.jse:org.restlet | maven | < 2.1.4 | 2.1.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability arises from two key points: (1) ObjectRepresentation's use of XMLDecoder for deserialization (explicitly warned about in its Javadoc post-patch), and (2) DefaultConverter's pre-patch default enabling of the APPLICATION_JAVA_OBJECT_XML media type. The combination of these factors allowed untrusted XML input to trigger code execution. The patch introduced a system property to disable XML deserialization by default, confirming these as the vulnerable points.