GHSA-3mq5-fq9h-gj7j

Опубликовано: 17 сент. 2022

Источник: github

Github: Прошло ревью

Описание

Duplicate Advisory: Denial of Service due to parser crash

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f8cc-g7j8-xxpm. This link is maintained to preserve external references.

Original Description

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2022-40151
https://github.com/x-stream/xstream/issues/304
https://github.com/x-stream/xstream/issues/314
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367

Пакеты

Наименование

com.thoughtworks.xstream:xstream

maven

Затронутые версииВерсия исправления

<= 1.4.19

Отсутствует