XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may …
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
https://cwe.mitre.org/data/definitions/434.html →Open in CWE collection →The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://cwe.mitre.org/data/definitions/502.html →Open in CWE collection →In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
https://capec.mitre.org/data/definitions/1.html →Open in CAPEC collection →An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
https://capec.mitre.org/data/definitions/586.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| libxstream-java | Tracked | |
| xstream | Tracked | |
| activemq | * | Tracked |
| banking_enterprise_default_management | * | Tracked |
| banking_platform | * | Tracked |
| banking_virtual_account_management | * | Tracked |