Search for packages
| purl | pkg:maven/com.thoughtworks.xstream/xstream@1.4.17 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12bx-r37t-3ygm
Aliases: CVE-2021-39150 GHSA-cxfm-5m4g-x7xp |
Server-Side Request Forgery (SSRF) XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime to Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-7ma6-2uv1-sbef
Aliases: CVE-2021-39147 GHSA-h7v4-7xg3-hxcc |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-8gha-n6ke-nucu
Aliases: CVE-2021-39148 GHSA-qrx8-8545-4wg2 |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-9442-1vwr-5fbt
Aliases: CVE-2022-41966 GHSA-j563-grx4-pjpv |
XStream can cause Denial of Service via stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: - java.util.HashMap - java.util.HashSet - java.util.Hashtable - java.util.LinkedHashMap - java.util.LinkedHashSet - Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: ```Java XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); ``` If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: ```Java XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); ``` Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: ```Java xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); ``` However, this implies that your application does not care about the implementation of the map and all elements are comparable. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html). ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) |
Affected by 1 other vulnerability. |
|
VCID-c5tu-31kw-mfcf
Aliases: CVE-2021-39153 GHSA-2q8x-2p7f-574v |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. if using the version out of the box with Java runtime to 8 or with JavaFX installed. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-dxpe-qmxq-ykax
Aliases: CVE-2021-39145 GHSA-8jrj-525p-826v |
Unrestricted Upload of File with Dangerous Type XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-eeye-wfxf-x7cc
Aliases: CVE-2021-39146 GHSA-p8pq-r894-fm8f |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-exrn-u19r-wfd8
Aliases: GHSA-3mq5-fq9h-gj7j GMS-2022-9109 |
Duplicate Advisory: Denial of Service due to parser crash ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references. ## Original Description Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. |
Affected by 1 other vulnerability. |
|
VCID-f779-wcjk-kfc1
Aliases: CVE-2021-39154 GHSA-6w62-hx7r-mw68 |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-fcg2-x3s5-wudk
Aliases: CVE-2024-47072 GHSA-hfq9-hggm-c56q |
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. |
Affected by 0 other vulnerabilities. |
|
VCID-hqzr-vc5w-9ff5
Aliases: CVE-2022-40152 GHSA-3f7h-mf4q-vrm4 |
Denial of Service due to parser crash Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. This vulnerability is only relevant for users making use of the DTD parsing functionality. |
Affected by 1 other vulnerability. |
|
VCID-mfub-hwcq-pqbt
Aliases: CVE-2022-40151 GHSA-f8cc-g7j8-xxpm |
XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html). ### Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) |
Affected by 1 other vulnerability. |
|
VCID-na6t-mkxt-3qbw
Aliases: CVE-2021-39144 GHSA-j9h8-phrw-h4fh |
XStream is vulnerable to a Remote Command Execution attack XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-npjx-vkrd-9bae
Aliases: CVE-2021-39141 GHSA-g5w6-mrj7-75h2 |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-rfc1-r1gr-wffp
Aliases: CVE-2021-39151 GHSA-hph2-m3g5-xxv4 |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-v7za-zjfx-mqek
Aliases: CVE-2021-39152 GHSA-xw4p-crpj-vjx2 |
Server-Side Request Forgery (SSRF) XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-wehr-d623-akaj
Aliases: CVE-2021-39140 GHSA-6wf9-jmg9-vxcc |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to allocate % CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-xsr8-3cke-33ck
Aliases: CVE-2021-39149 GHSA-3ccq-5vw3-2p6x |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
|
VCID-yb4j-92y9-nfb5
Aliases: CVE-2021-43859 GHSA-rmr5-cpv2-vgjf |
Denial of Service by injecting highly recursive collections or maps in XStream The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. |
Affected by 5 other vulnerabilities. |
|
VCID-yuwe-6pp1-bke2
Aliases: CVE-2021-39139 GHSA-64xx-cq4q-mf44 |
Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again.However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-qvbb-jhkk-2udw | XStream is vulnerable to a Remote Command Execution attack ### Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-29505](https://x-stream.github.io/CVE-2021-29505.html). ### Credits V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Email us at [XStream Google Group](https://groups.google.com/group/xstream-user) |
CVE-2021-29505
GHSA-7chv-rrw6-w6fc |