CVE-2013-4221 Information

Description

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder which allows remote attackers to execute arbitrary Java code via crafted XML.

Reference

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html http://restlet.org/learn/2.1/changes http://rhn.redhat.com/errata/RHSA-2013-1410.html http://rhn.redhat.com/errata/RHSA-2013-1862.html https://bugzilla.redhat.com/show_bug.cgi?id=995275 https://github.com/restlet/restlet-framework-java/issues/774