CVE-2019-10173

Name: CVE-2019-10173
Creator: NVD / NIST
Published: 2019-07-23T13:15:13.177+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 94.77%

Last modified Jun 17, 2026

CVE-2019-10173 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. EPSS estimates a 94.77% chance of exploitation in the next 30 days.

Description

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

94.77%

99.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Xstream	Xstream	1.4.10
Oracle	Banking Platform	>= 2.4.0, <= 2.10.0
Oracle	Banking Platform	2.4.0
Oracle	Banking Platform	2.7.1
Oracle	Banking Platform	2.9.0
Oracle	Business Activity Monitoring	11.1.1.9.0
Oracle	Business Activity Monitoring	12.2.1.3.0
Oracle	Business Activity Monitoring	12.2.1.4.0
Oracle	Communications Billing And Revenue Management Elastic Charging Engine	11.3.0.9.0
Oracle	Communications Billing And Revenue Management Elastic Charging Engine	12.0.0.3.0
Oracle	Communications Diameter Signaling Router	>= 8.0.0, <= 8.2.2
Oracle	Communications Unified Inventory Management	7.3.0
Oracle	Communications Unified Inventory Management	7.4.0
Oracle	Endeca Information Discovery Studio	3.2.0
Oracle	Endeca Information Discovery Studio	3.2.0.0
Oracle	Retail Xstore Point Of Service	17.0
Oracle	Utilities Framework	>= 4.3.0.1.0, <= 4.3.0.6.0
Oracle	Utilities Framework	2.2.0.0.0
Oracle	Utilities Framework	4.2.0.2.0
Oracle	Utilities Framework	4.2.0.3.0
Oracle	Utilities Framework	4.4.0.0.0
Oracle	Webcenter Portal	11.1.1.9.0
Oracle	Webcenter Portal	12.2.1.3.0
Oracle	Webcenter Portal	12.2.1.4.0

References

http://x-stream.github.io/changes.html#1.4.11Release Notes, Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173Issue Tracking, Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
http://x-stream.github.io/changes.html#1.4.11Release Notes, Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173Issue Tracking, Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory

Timeline

Published: Jul 23, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-10173?

How severe is CVE-2019-10173?

CVE-2019-10173 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 94.77% probability of exploitation in the next 30 days.

How do I fix CVE-2019-10173?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-10173?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST