Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (2)
| Vulnerability |
Summary |
Aliases |
|
VCID-fcg2-x3s5-wudk
|
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
### Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.
### Patches
XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.
### Workarounds
The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html).
### Credits
Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.
|
CVE-2024-47072
GHSA-hfq9-hggm-c56q
|
|
VCID-yb4j-92y9-nfb5
|
Denial of Service by injecting highly recursive collections or maps in XStream
The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.
|
CVE-2021-43859
GHSA-rmr5-cpv2-vgjf
|