{
  "threat_severity" : "Important",
  "public_date" : "2018-10-23T00:00:00Z",
  "bugzilla" : {
    "description" : "xstream: remote code execution due to insecure XML deserialization (regression of  CVE-2013-7285)",
    "id" : "1722971",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1722971"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)", "It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Data Grid 7.3.3",
    "release_date" : "2020-03-05T00:00:00Z",
    "advisory" : "RHSA-2020:0727",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7.3",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat Fuse 6.3",
    "release_date" : "2019-12-19T00:00:00Z",
    "advisory" : "RHSA-2019:4352",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat Fuse 7.5.0",
    "release_date" : "2019-11-14T00:00:00Z",
    "advisory" : "RHSA-2019:3892",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss BPMS 7.4",
    "release_date" : "2019-07-22T00:00:00Z",
    "advisory" : "RHSA-2019:1823",
    "cpe" : "cpe:/a:redhat:jboss_bpms:7.4",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss BRMS 7.4",
    "release_date" : "2019-07-22T00:00:00Z",
    "advisory" : "RHSA-2019:1822",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.4",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3",
    "release_date" : "2020-02-06T00:00:00Z",
    "advisory" : "RHSA-2020:0445",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3",
    "package" : "rh-sso7-keycloak"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10173\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10173\nhttp://x-stream.github.io/changes.html#1.4.11" ],
  "name" : "CVE-2019-10173",
  "csaw" : false
}