Description
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
Remediation
References
http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
http://restlet.org/learn/2.1/changes
http://rhn.redhat.com/errata/RHSA-2013-1410.html
http://rhn.redhat.com/errata/RHSA-2013-1862.html
https://bugzilla.redhat.com/show_bug.cgi?id=995275
https://github.com/restlet/restlet-framework-java/issues/774
Related Vulnerabilities
CVE-2022-23539 Vulnerability in npm package jsonwebtoken
CVE-2022-23623 Vulnerability in npm package frourio
CVE-2022-31193 Vulnerability in maven package org.dspace:dspace-jspui
CVE-2017-16821 Vulnerability in maven package org.b3log:symphony
CVE-2021-39234 Vulnerability in maven package org.apache.ozone:ozone-common