CVSS: 7.7EPSS: 93%CPEs: 6EXPL: 2CVE-2020-26258 – Server-Side Forgery Request can be activated unmarshalling with XStream
https://notcve.org/view.php?id=CVE-2020-26258
16 Dec 2020 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if... • https://github.com/Al1ex/CVE-2020-26258 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 89%CPEs: 6EXPL: 3CVE-2020-26259 – XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling
https://notcve.org/view.php?id=CVE-2020-26259
16 Dec 2020 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulne... • https://github.com/jas502n/CVE-2020-26259 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 93%CPEs: 36EXPL: 4CVE-2020-26217 – Remote Code Execution in XStream
https://notcve.org/view.php?id=CVE-2020-26217
16 Nov 2020 — XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14. • https://github.com/Al1ex/CVE-2020-26217 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 91%CPEs: 24EXPL: 0CVE-2019-10173 – xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)
https://notcve.org/view.php?id=CVE-2019-10173
22 Jul 2019 — It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) Se encontró que la API de xstream versión 1.4.10 anterior a 1.4.11, introdujo una regresión para un fallo de deserialización anterior. Si el framework security no ha sido inicializado, pue... • http://x-stream.github.io/changes.html#1.4.11 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 5%CPEs: 3EXPL: 0CVE-2017-7957 – XStream: DoS when unmarshalling void type
https://notcve.org/view.php?id=CVE-2017-7957
29 Apr 2017 — XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("
CVSS: 7.5EPSS: 5%CPEs: 4EXPL: 0CVE-2016-3674 – XStream: enabled processing of external entities
https://notcve.org/view.php?id=CVE-2016-3674
13 May 2016 — Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. Múltiples vulnerabilidades de entidad externa (XXE) en (1) Dom4JDriver, (2) DomDriver, (3) JDom Driver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver y (7) WstxDriver drivers en XStream en versiones anteriores a... • http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 6%CPEs: 2EXPL: 2CVE-2013-7285 – OpenMRS Reporting Module 0.9.7 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-7285
14 Mar 2014 — Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. Xstream API versiones hasta la 1.4.6 y versión 1.4.10, Si la security framework no ha sido inicializada, estas vulnerabilidades podrían permitir que un atacante remoto ejecute comandos arbitrarios de shell mediante la manipulación de la secuencia... • https://www.exploit-db.com/exploits/39193 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •