CVE-2013-2185

Name: CVE-2013-2185
Creator: NVD / NIST
Published: 2014-01-19T18:02:57.037+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 7.20%

Last modified Jun 16, 2026

CVE-2013-2185 is a vulnerability of currently unknown severity. The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. EPSS estimates a 7.20% chance of exploitation in the next 30 days.

Description

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue

Metrics

EPSS Probability

7.20%

93.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

Affected Software

Vendor	Product	Versions
Apache	Tomcat	<= 7.0.39
Redhat	Jboss Enterprise Application Platform	6.1.0
Redhat	Jboss Enterprise Portal Platform	6.0.0

References

http://openwall.com/lists/oss-security/2014/10/24/12
http://rhn.redhat.com/errata/RHSA-2013-1193.htmlVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-1194.htmlVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-1265.htmlVendor Advisory
http://www.openwall.com/lists/oss-security/2013/09/05/4
http://openwall.com/lists/oss-security/2014/10/24/12
http://rhn.redhat.com/errata/RHSA-2013-1193.htmlVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-1194.htmlVendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-1265.htmlVendor Advisory
http://www.openwall.com/lists/oss-security/2013/09/05/4

Timeline

Published: Jan 19, 2014
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2013-2185?

How severe is CVE-2013-2185?

Severity scoring for CVE-2013-2185 is pending analysis. The EPSS model estimates a 7.20% probability of exploitation in the next 30 days.

How do I fix CVE-2013-2185?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2013-2185?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST