Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-bxg6-fsmd-6qae
Vulnerability ID VCID-bxg6-fsmd-6qae
Aliases CVE-2013-2185
GHSA-v6c7-8qx5-8gmp
Summary The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
Status Disputed
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-502 Deserialization of Untrusted Data
CWE-626 Null Byte Interaction Error (Poison Null Byte)
System Score Found at
generic_textual HIGH http://openwall.com/lists/oss-security/2014/10/24/12
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1193.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1194.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1265.html
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.05286 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-v6c7-8qx5-8gmp
generic_textual HIGH https://github.com/apache/tomcat
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2013-2185
generic_textual HIGH http://www.openwall.com/lists/oss-security/2013/09/05/4
Reference id Reference type URL
http://openwall.com/lists/oss-security/2014/10/24/12
http://rhn.redhat.com/errata/RHSA-2013-1193.html
http://rhn.redhat.com/errata/RHSA-2013-1194.html
http://rhn.redhat.com/errata/RHSA-2013-1265.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2185.json
https://api.first.org/data/v1/epss?cve=CVE-2013-2185
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2185
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/e246e5fc13307da0a5d3bbf860d64d97be1c40f8
https://nvd.nist.gov/vuln/detail/CVE-2013-2185
http://www.openwall.com/lists/oss-security/2013/09/05/4
974813 https://bugzilla.redhat.com/show_bug.cgi?id=974813
GHSA-v6c7-8qx5-8gmp https://github.com/advisories/GHSA-v6c7-8qx5-8gmp
RHSA-2013:1193 https://access.redhat.com/errata/RHSA-2013:1193
RHSA-2013:1194 https://access.redhat.com/errata/RHSA-2013:1194
RHSA-2013:1265 https://access.redhat.com/errata/RHSA-2013:1265
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.89967
EPSS Score 0.05286
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T02:35:20.507538+00:00 NVD CVE Status Improver Improve https://cveawg.mitre.org/api/cve/CVE-2013-2185 38.1.0
2026-04-01T12:38:17.091531+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 38.0.0