Search for vulnerabilities
Vulnerability details: VCID-1xh1-329x-aaar
Vulnerability ID VCID-1xh1-329x-aaar
Aliases CVE-2013-2185
GHSA-v6c7-8qx5-8gmp
Summary Arbitrary file upload via deserialization A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is permitted by the user running the application server process.
Status Disputed
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-20 Improper Input Validation
CWE-502 Deserialization of Untrusted Data
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-626 Null Byte Interaction Error (Poison Null Byte)
System Score Found at
generic_textual MODERATE http://openwall.com/lists/oss-security/2014/10/24/12
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1193.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1194.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1265.html
rhas Important https://access.redhat.com/errata/RHSA-2013:1193
rhas Important https://access.redhat.com/errata/RHSA-2013:1194
rhas Important https://access.redhat.com/errata/RHSA-2013:1265
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00293 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00345 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00345 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00345 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.00345 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.06588 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
epss 0.18843 https://api.first.org/data/v1/epss?cve=CVE-2013-2185
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=974813
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-v6c7-8qx5-8gmp
cvssv3.1 7.5 https://github.com/apache/tomcat
generic_textual HIGH https://github.com/apache/tomcat
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2013-2185
generic_textual HIGH http://www.openwall.com/lists/oss-security/2013/09/05/4
Reference id Reference type URL
http://openwall.com/lists/oss-security/2014/10/24/12
http://rhn.redhat.com/errata/RHSA-2013-1193.html
http://rhn.redhat.com/errata/RHSA-2013-1194.html
http://rhn.redhat.com/errata/RHSA-2013-1265.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2185.json
https://api.first.org/data/v1/epss?cve=CVE-2013-2185
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2185
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/e246e5fc13307da0a5d3bbf860d64d97be1c40f8
http://www.openwall.com/lists/oss-security/2013/09/05/4
974813 https://bugzilla.redhat.com/show_bug.cgi?id=974813
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:6.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_portal_platform:6.0.0:*:*:*:*:*:*:*
CVE-2013-2185 https://nvd.nist.gov/vuln/detail/CVE-2013-2185
GHSA-v6c7-8qx5-8gmp https://github.com/advisories/GHSA-v6c7-8qx5-8gmp
RHSA-2013:1193 https://access.redhat.com/errata/RHSA-2013:1193
RHSA-2013:1194 https://access.redhat.com/errata/RHSA-2013:1194
RHSA-2013:1265 https://access.redhat.com/errata/RHSA-2013:1265
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2013-2185
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.69708
EPSS Score 0.00293
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2025-04-16T13:47:46.498184+00:00 NVD CVE Status Improver Improve https://cveawg.mitre.org/api/cve/CVE-2013-2185 36.0.0