Search for packages
| purl | pkg:maven/com.thoughtworks.xstream/xstream@1.4.18 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9442-1vwr-5fbt
Aliases: CVE-2022-41966 GHSA-j563-grx4-pjpv |
XStream can cause Denial of Service via stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: - java.util.HashMap - java.util.HashSet - java.util.Hashtable - java.util.LinkedHashMap - java.util.LinkedHashSet - Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: ```Java XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); ``` If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: ```Java XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); ``` Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: ```Java xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); ``` However, this implies that your application does not care about the implementation of the map and all elements are comparable. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html). ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) |
Affected by 1 other vulnerability. |
|
VCID-exrn-u19r-wfd8
Aliases: GHSA-3mq5-fq9h-gj7j GMS-2022-9109 |
Duplicate Advisory: Denial of Service due to parser crash ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references. ## Original Description Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. |
Affected by 1 other vulnerability. |
|
VCID-fcg2-x3s5-wudk
Aliases: CVE-2024-47072 GHSA-hfq9-hggm-c56q |
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. |
Affected by 0 other vulnerabilities. |
|
VCID-hqzr-vc5w-9ff5
Aliases: CVE-2022-40152 GHSA-3f7h-mf4q-vrm4 |
Denial of Service due to parser crash Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. This vulnerability is only relevant for users making use of the DTD parsing functionality. |
Affected by 1 other vulnerability. |
|
VCID-mfub-hwcq-pqbt
Aliases: CVE-2022-40151 GHSA-f8cc-g7j8-xxpm |
XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html). ### Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) |
Affected by 1 other vulnerability. |
|
VCID-yb4j-92y9-nfb5
Aliases: CVE-2021-43859 GHSA-rmr5-cpv2-vgjf |
Denial of Service by injecting highly recursive collections or maps in XStream The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-12bx-r37t-3ygm | Server-Side Request Forgery (SSRF) XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime to Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39150
GHSA-cxfm-5m4g-x7xp |
| VCID-7ma6-2uv1-sbef | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39147
GHSA-h7v4-7xg3-hxcc |
| VCID-8gha-n6ke-nucu | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39148
GHSA-qrx8-8545-4wg2 |
| VCID-c5tu-31kw-mfcf | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. if using the version out of the box with Java runtime to 8 or with JavaFX installed. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39153
GHSA-2q8x-2p7f-574v |
| VCID-dxpe-qmxq-ykax | Unrestricted Upload of File with Dangerous Type XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted. |
CVE-2021-39145
GHSA-8jrj-525p-826v |
| VCID-eeye-wfxf-x7cc | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted. |
CVE-2021-39146
GHSA-p8pq-r894-fm8f |
| VCID-f779-wcjk-kfc1 | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39154
GHSA-6w62-hx7r-mw68 |
| VCID-na6t-mkxt-3qbw | XStream is vulnerable to a Remote Command Execution attack XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted. |
CVE-2021-39144
GHSA-j9h8-phrw-h4fh |
| VCID-npjx-vkrd-9bae | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39141
GHSA-g5w6-mrj7-75h2 |
| VCID-rfc1-r1gr-wffp | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39151
GHSA-hph2-m3g5-xxv4 |
| VCID-v7za-zjfx-mqek | Server-Side Request Forgery (SSRF) XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39152
GHSA-xw4p-crpj-vjx2 |
| VCID-wehr-d623-akaj | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to allocate % CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39140
GHSA-6wf9-jmg9-vxcc |
| VCID-xsr8-3cke-33ck | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39149
GHSA-3ccq-5vw3-2p6x |
| VCID-yuwe-6pp1-bke2 | Deserialization of Untrusted Data XStream is a simple library to serialize objects to XML and back again.However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted. |
CVE-2021-39139
GHSA-64xx-cq4q-mf44 |