Search for packages
| purl | pkg:deb/debian/libxstream-java@1.4.20-1%2Bdeb12u1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-fcg2-x3s5-wudk | XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. |
CVE-2024-47072
GHSA-hfq9-hggm-c56q |
| VCID-yb4j-92y9-nfb5 | Denial of Service by injecting highly recursive collections or maps in XStream The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. |
CVE-2021-43859
GHSA-rmr5-cpv2-vgjf |