CVE-2019-10173 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhat	CNA	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
xstream	xstream	1.4.10
oracle	banking_platform	2.4.0 ≤ 𝑥 ≤ 2.10.0
oracle	banking_platform	2.4.0
oracle	banking_platform	2.7.1
oracle	banking_platform	2.9.0
oracle	business_activity_monitoring	11.1.1.9.0
oracle	business_activity_monitoring	12.2.1.3.0
oracle	business_activity_monitoring	12.2.1.4.0
oracle	communications_billing_and_revenue_management_elastic_charging_engine	11.3.0.9.0
oracle	communications_billing_and_revenue_management_elastic_charging_engine	12.0.0.3.0
oracle	communications_diameter_signaling_router	8.0.0 ≤ 𝑥 ≤ 8.2.2
oracle	communications_unified_inventory_management	7.3.0
oracle	communications_unified_inventory_management	7.4.0
oracle	endeca_information_discovery_studio	3.2.0
oracle	endeca_information_discovery_studio	3.2.0.0
oracle	retail_xstore_point_of_service	17.0
oracle	utilities_framework	4.3.0.1.0 ≤ 𝑥 ≤ 4.3.0.6.0
oracle	utilities_framework	2.2.0.0.0
oracle	utilities_framework	4.2.0.2.0
oracle	utilities_framework	4.2.0.3.0
oracle	utilities_framework	4.4.0.0.0
oracle	webcenter_portal	11.1.1.9.0
oracle	webcenter_portal	12.2.1.3.0
oracle	webcenter_portal	12.2.1.4.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libxstream-java

bullseye (security)	1.4.15-3+deb11u2 fixed
bullseye	1.4.15-3+deb11u2 fixed
stretch	not-affected
jessie	not-affected
bookworm	1.4.20-1 fixed
sid	1.4.20-2 fixed
trixie	1.4.20-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

libxstream-java

hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	not-affected
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

http://x-stream.github.io/changes.html#1.4.11

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4352

https://access.redhat.com/errata/RHSA-2020:0445

https://access.redhat.com/errata/RHSA-2020:0727

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

http://x-stream.github.io/changes.html#1.4.11

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4352

https://access.redhat.com/errata/RHSA-2020:0445

https://access.redhat.com/errata/RHSA-2020:0727

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html