GHSA-hfq9-hggm-c56q

Suggest an improvement
Source
https://github.com/advisories/GHSA-hfq9-hggm-c56q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-hfq9-hggm-c56q/GHSA-hfq9-hggm-c56q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hfq9-hggm-c56q
Aliases
Related
Published
2024-11-07T21:51:17Z
Modified
2024-11-08T14:07:31.933157Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
Details

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.

Patches

XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.

Workarounds

The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072.

Credits

Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.

Database specific
{
    "nvd_published_at": "2024-11-08T00:15:14Z",
    "cwe_ids": [
        "CWE-121",
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T21:51:17Z"
}
References

Affected packages

Maven / com.thoughtworks.xstream:xstream

Package

Name
com.thoughtworks.xstream:xstream
View open source insights on deps.dev
Purl
pkg:maven/com.thoughtworks.xstream/xstream

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.21

Affected versions

0.*

0.1
0.2
0.3
0.5
0.6

1.*

1.0
1.0.1
1.0.2
1.1
1.1.1
1.1.2
1.1.3
1.2
1.2.1
1.2.2
1.3
1.3.1
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.10-java7
1.4.11
1.4.11-java7
1.4.11.1
1.4.12
1.4.12-java7
1.4.13
1.4.13-java7
1.4.14
1.4.14-java7
1.4.14-jdk7
1.4.15
1.4.16
1.4.17
1.4.18
1.4.19
1.4.20