Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/44687?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/44687?format=api", "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "type": "maven", "namespace": "com.thoughtworks.xstream", "name": "xstream", "version": "1.4.19", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.4.21", "latest_non_vulnerable_version": "1.4.21", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52805?format=api", "vulnerability_id": "VCID-9442-1vwr-5fbt", "summary": "XStream can cause Denial of Service via stack overflow\n### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:\n\n- java.util.HashMap\n- java.util.HashSet\n- java.util.Hashtable\n- java.util.LinkedHashMap\n- java.util.LinkedHashSet\n- Other third party collection implementations that use their element's hash code may also be affected\n\nA simple solution is to catch the StackOverflowError in the client code calling XStream.\n\nIf your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:\n```Java\nXStream xstream = new XStream();\nxstream.setMode(XStream.NO_REFERENCES);\n```\n\nIf your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:\n```Java\nXStream xstream = new XStream();\nxstream.denyTypes(new Class[]{\n java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class\n});\n```\n\nUnfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::\n```Java\nxstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);\nxstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);\n```\nHowever, this implies that your application does not care about the implementation of the map and all elements are comparable.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41966", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84993", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84911", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84929", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84934", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84957", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84963", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84979", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84978", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84973", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84994", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.02376", "scoring_system": "epss", "scoring_elements": "0.84996", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41966" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/x-stream/xstream", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream" }, { "reference_url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/" } ], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966" }, { "reference_url": "https://x-stream.github.io/CVE-2022-41966.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/" } ], "url": "https://x-stream.github.io/CVE-2022-41966.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754", "reference_id": "1027754", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", "reference_id": "2170431", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431" }, { "reference_url": "https://github.com/advisories/GHSA-j563-grx4-pjpv", "reference_id": "GHSA-j563-grx4-pjpv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j563-grx4-pjpv" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1006", "reference_id": "RHSA-2023:1006", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1006" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1177", "reference_id": "RHSA-2023:1177", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1177" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1286", "reference_id": "RHSA-2023:1286", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1286" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2041", "reference_id": "RHSA-2023:2041", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2041" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2100", "reference_id": "RHSA-2023:2100", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2100" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3625", "reference_id": "RHSA-2023:3625", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3625" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3663", "reference_id": "RHSA-2023:3663", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3663" }, { "reference_url": "https://usn.ubuntu.com/5946-1/", "reference_id": "USN-5946-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5946-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80464?format=api", "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fcg2-x3s5-wudk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20" } ], "aliases": [ "CVE-2022-41966", "GHSA-j563-grx4-pjpv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9442-1vwr-5fbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52432?format=api", "vulnerability_id": "VCID-exrn-u19r-wfd8", "summary": "Duplicate Advisory: Denial of Service due to parser crash\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references.\n\n## Original Description\nThose using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "references": [ { "reference_url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367" }, { "reference_url": "https://github.com/x-stream/xstream", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream" }, { "reference_url": "https://github.com/x-stream/xstream/issues/304", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream/issues/304" }, { "reference_url": "https://github.com/x-stream/xstream/issues/314", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream/issues/314" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151" }, { "reference_url": "https://github.com/advisories/GHSA-3mq5-fq9h-gj7j", "reference_id": "GHSA-3mq5-fq9h-gj7j", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3mq5-fq9h-gj7j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80464?format=api", "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fcg2-x3s5-wudk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20" } ], "aliases": [ "GHSA-3mq5-fq9h-gj7j", "GMS-2022-9109" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-exrn-u19r-wfd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17274?format=api", "vulnerability_id": "VCID-fcg2-x3s5-wudk", "summary": "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream\n### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.\n\n### Patches\nXStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html).\n\n### Credits\nAlexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47072.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47072.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47072", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49494", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49496", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.4945", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49448", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49429", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49409", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49464", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49459", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49455", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49476", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47072" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47072", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47072" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/x-stream/xstream", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream" }, { "reference_url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/" } ], "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266" }, { "reference_url": "https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a" }, { "reference_url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/" } ], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47072" }, { "reference_url": "https://x-stream.github.io/CVE-2024-47072.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/" } ], "url": "https://x-stream.github.io/CVE-2024-47072.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274", "reference_id": "1087274", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", "reference_id": "2324606", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324606" }, { "reference_url": "https://github.com/advisories/GHSA-hfq9-hggm-c56q", "reference_id": "GHSA-hfq9-hggm-c56q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hfq9-hggm-c56q" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10214", "reference_id": "RHSA-2024:10214", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10214" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2218", "reference_id": "RHSA-2025:2218", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2218" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2219", "reference_id": "RHSA-2025:2219", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2219" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2220", "reference_id": "RHSA-2025:2220", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2220" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2221", "reference_id": "RHSA-2025:2221", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2221" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2222", "reference_id": "RHSA-2025:2222", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2222" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2223", "reference_id": "RHSA-2025:2223", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2223" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57123?format=api", "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.21" } ], "aliases": [ "CVE-2024-47072", "GHSA-hfq9-hggm-c56q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fcg2-x3s5-wudk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52285?format=api", "vulnerability_id": "VCID-hqzr-vc5w-9ff5", "summary": "Denial of Service due to parser crash\nThose using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n\nThis vulnerability is only relevant for users making use of the DTD parsing functionality.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40152.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40152.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40152", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.7414", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.7415", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74141", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74102", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74109", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74126", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74105", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.7409", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74057", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.7406", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74086", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40152" }, { "reference_url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:21Z/" } ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/FasterXML/woodstox", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FasterXML/woodstox" }, { "reference_url": "https://github.com/FasterXML/woodstox/issues/157", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FasterXML/woodstox/issues/157" }, { "reference_url": "https://github.com/FasterXML/woodstox/issues/160", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FasterXML/woodstox/issues/160" }, { "reference_url": "https://github.com/FasterXML/woodstox/pull/159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FasterXML/woodstox/pull/159" }, { "reference_url": "https://github.com/x-stream/xstream/issues/304", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:21Z/" } ], "url": "https://github.com/x-stream/xstream/issues/304" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032089", "reference_id": "1032089", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032089" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", "reference_id": "2134291", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "reference_url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", "reference_id": "GHSA-3f7h-mf4q-vrm4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0469", "reference_id": "RHSA-2023:0469", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0469" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0552", "reference_id": "RHSA-2023:0552", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0552" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0553", "reference_id": "RHSA-2023:0553", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0553" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0554", "reference_id": "RHSA-2023:0554", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0554" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0556", "reference_id": "RHSA-2023:0556", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0556" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2100", "reference_id": "RHSA-2023:2100", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2100" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3299", "reference_id": "RHSA-2023:3299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3299" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3641", "reference_id": "RHSA-2023:3641", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3641" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3815", "reference_id": "RHSA-2023:3815", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3815" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:4983", "reference_id": "RHSA-2023:4983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:4983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:4437", "reference_id": "RHSA-2025:4437", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:4437" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80464?format=api", "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fcg2-x3s5-wudk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20" } ], "aliases": [ "CVE-2022-40152", "GHSA-3f7h-mf4q-vrm4" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hqzr-vc5w-9ff5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52776?format=api", "vulnerability_id": "VCID-mfub-hwcq-pqbt", "summary": "XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow\n### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe only solution is to catch the StackOverflowError in the client code calling XStream.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html).\n\n### Credits\nThe vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40151.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40151.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40151", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49206", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49237", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49239", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49192", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49188", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49215", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49197", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49166", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49146", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49194", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.492", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40151" }, { "reference_url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:18Z/" } ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/x-stream/xstream", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream" }, { "reference_url": "https://github.com/x-stream/xstream/issues/304", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:18Z/" } ], "url": "https://github.com/x-stream/xstream/issues/304" }, { "reference_url": "https://github.com/x-stream/xstream/issues/314", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream/issues/314" }, { "reference_url": "https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151" }, { "reference_url": "https://x-stream.github.io/CVE-2022-40151.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://x-stream.github.io/CVE-2022-40151.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292", "reference_id": "2134292", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292" }, { "reference_url": "https://github.com/advisories/GHSA-f8cc-g7j8-xxpm", "reference_id": "GHSA-f8cc-g7j8-xxpm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f8cc-g7j8-xxpm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0469", "reference_id": "RHSA-2023:0469", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0469" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2100", "reference_id": "RHSA-2023:2100", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2100" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3299", "reference_id": "RHSA-2023:3299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3299" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80464?format=api", "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fcg2-x3s5-wudk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20" } ], "aliases": [ "CVE-2022-40151", "GHSA-f8cc-g7j8-xxpm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mfub-hwcq-pqbt" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12464?format=api", "vulnerability_id": "VCID-yb4j-92y9-nfb5", "summary": "Denial of Service by injecting highly recursive collections or maps in XStream\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43859.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43859.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43859", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83096", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83093", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83092", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83054", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83058", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83064", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83049", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83017", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83019", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83006", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.8299", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.01863", "scoring_system": "epss", "scoring_elements": "0.83042", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43859" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43859", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43859" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/x-stream/xstream", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/x-stream/xstream" }, { "reference_url": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2022.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/02/09/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/02/09/1" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2049783", "reference_id": "2049783", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2049783" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43859", "reference_id": "CVE-2021-43859", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43859" }, { "reference_url": "https://x-stream.github.io/CVE-2021-43859.html", "reference_id": "CVE-2021-43859.HTML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://x-stream.github.io/CVE-2021-43859.html" }, { "reference_url": "https://github.com/advisories/GHSA-rmr5-cpv2-vgjf", "reference_id": "GHSA-rmr5-cpv2-vgjf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rmr5-cpv2-vgjf" }, { "reference_url": "https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf", "reference_id": "GHSA-rmr5-cpv2-vgjf", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1420", "reference_id": "RHSA-2022:1420", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1420" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5532", "reference_id": "RHSA-2022:5532", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5532" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5606", "reference_id": "RHSA-2022:5606", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5606" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/", "reference_id": "VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/", "reference_id": "XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44687?format=api", "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9442-1vwr-5fbt" }, { "vulnerability": "VCID-exrn-u19r-wfd8" }, { "vulnerability": "VCID-fcg2-x3s5-wudk" }, { "vulnerability": "VCID-hqzr-vc5w-9ff5" }, { "vulnerability": "VCID-mfub-hwcq-pqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.19" } ], "aliases": [ "CVE-2021-43859", "GHSA-rmr5-cpv2-vgjf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yb4j-92y9-nfb5" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.19" }