Vulnerabilities > CVE-2013-4521 - Deserialization of Untrusted Data vulnerability in Nuxeo 5.6.0/5.8.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 28 |
Common Weakness Enumeration (CWE)
References
- http://doc.nuxeo.com/display/public/ADMINDOC58/Nuxeo+Security+Hotfixes
- http://doc.nuxeo.com/display/public/ADMINDOC58/Nuxeo+Security+Hotfixes
- https://bugzilla.redhat.com/show_bug.cgi?id=1027052
- https://bugzilla.redhat.com/show_bug.cgi?id=1027052
- https://github.com/nuxeo/richfaces/commit/6cbad2a6dcb70d3e33a6ce5879b1a3ad79eb1aec
- https://github.com/nuxeo/richfaces/commit/6cbad2a6dcb70d3e33a6ce5879b1a3ad79eb1aec