Описание
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.
It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | xstream | Affected | ||
| Red Hat Enterprise Linux 7 | xstream | Affected | ||
| Red Hat Enterprise Virtualization 3 | jasperreports-server-pro | Under investigation | ||
| Red Hat JBoss A-MQ 6 | camel | Affected | ||
| Red Hat JBoss Data Grid 6 | xstream | Will not fix | ||
| Red Hat JBoss Data Grid 7 | xstream | Affected | ||
| Red Hat JBoss Fuse Service Works 6 | xstream | Will not fix | ||
| Red Hat JBoss Portal 6 | xstream | Will not fix | ||
| Red Hat JBoss SOA Platform 5 | xstream | Will not fix | ||
| Red Hat OpenShift Enterprise 2 | xstream | Not affected |
Показывать по
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
XStream through 1.4.9, when a certain denyTypes workaround is not used ...
5.9 Medium
CVSS3