CVE-2013-4221

N/A Unknown

Published: October 10, 2013 Modified: April 29, 2026

Description

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html

Source: secalert@redhat.com

Third Party Advisory

http://restlet.org/learn/2.1/changes

Source: secalert@redhat.com

Release Notes Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2013-1410.html

Source: secalert@redhat.com

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2013-1862.html

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=995275

Source: secalert@redhat.com

Issue Tracking Third Party Advisory

https://github.com/restlet/restlet-framework-java/issues/774

Source: secalert@redhat.com

Issue Tracking Patch

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html