RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
Software | From | Fixed in |
---|---|---|
nuxeo / nuxeo | 5.6.0 | 5.6.0.x |
nuxeo / nuxeo | 5.6.0-hotfix01 | 5.6.0-hotfix01.x |
nuxeo / nuxeo | 5.6.0-hotfix02 | 5.6.0-hotfix02.x |
nuxeo / nuxeo | 5.6.0-hotfix03 | 5.6.0-hotfix03.x |
nuxeo / nuxeo | 5.6.0-hotfix04 | 5.6.0-hotfix04.x |
nuxeo / nuxeo | 5.6.0-hotfix05 | 5.6.0-hotfix05.x |
nuxeo / nuxeo | 5.6.0-hotfix06 | 5.6.0-hotfix06.x |
nuxeo / nuxeo | 5.6.0-hotfix07 | 5.6.0-hotfix07.x |
nuxeo / nuxeo | 5.6.0-hotfix08 | 5.6.0-hotfix08.x |
nuxeo / nuxeo | 5.6.0-hotfix09 | 5.6.0-hotfix09.x |
nuxeo / nuxeo | 5.6.0-hotfix10 | 5.6.0-hotfix10.x |
nuxeo / nuxeo | 5.6.0-hotfix11 | 5.6.0-hotfix11.x |
nuxeo / nuxeo | 5.6.0-hotfix12 | 5.6.0-hotfix12.x |
nuxeo / nuxeo | 5.6.0-hotfix13 | 5.6.0-hotfix13.x |
nuxeo / nuxeo | 5.6.0-hotfix14 | 5.6.0-hotfix14.x |
nuxeo / nuxeo | 5.6.0-hotfix15 | 5.6.0-hotfix15.x |
nuxeo / nuxeo | 5.6.0-hotfix16 | 5.6.0-hotfix16.x |
nuxeo / nuxeo | 5.6.0-hotfix17 | 5.6.0-hotfix17.x |
nuxeo / nuxeo | 5.6.0-hotfix18 | 5.6.0-hotfix18.x |
nuxeo / nuxeo | 5.6.0-hotfix19 | 5.6.0-hotfix19.x |
nuxeo / nuxeo | 5.6.0-hotfix20 | 5.6.0-hotfix20.x |
nuxeo / nuxeo | 5.6.0-hotfix21 | 5.6.0-hotfix21.x |
nuxeo / nuxeo | 5.6.0-hotfix22 | 5.6.0-hotfix22.x |
nuxeo / nuxeo | 5.6.0-hotfix23 | 5.6.0-hotfix23.x |
nuxeo / nuxeo | 5.6.0-hotfix24 | 5.6.0-hotfix24.x |
nuxeo / nuxeo | 5.6.0-hotfix25 | 5.6.0-hotfix25.x |
nuxeo / nuxeo | 5.6.0-hotfix26 | 5.6.0-hotfix26.x |
nuxeo / nuxeo | 5.8.0 | 5.8.0.x |