CVE-2017-7957 – XStream: DoS when unmarshalling void type
https://notcve.org/view.php?id=CVE-2017-7957
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call. XStream a través de 1.4.9, cuando no se utiliza una solución de denyTypes, mishandles intenta crear una instancia del tipo primitivo 'void' durante unmarshalling, dando lugar a un fallo de aplicación remota, como lo demuestra una llamda a xstream.fromXML (" > "). It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. • http://www.debian.org/security/2017/dsa-3841 http://www.securityfocus.com/bid/100687 http://www.securitytracker.com/id/1039499 http://x-stream.github.io/CVE-2017-7957.html https://access.redhat.com/errata/RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:2888 https://access.redhat.com/errata/RHSA-2017:2889 https://exchange.xforce.ibmcloud.com/vulnerabilities/125800 https://www-prd-trops.events.ibm.com/node/715749 https://access.redhat.com/security/cve/CVE-2017 • CWE-20: Improper Input Validation •
CVE-2016-3674 – XStream: enabled processing of external entities
https://notcve.org/view.php?id=CVE-2016-3674
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. Múltiples vulnerabilidades de entidad externa (XXE) en (1) Dom4JDriver, (2) DomDriver, (3) JDom Driver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver y (7) WstxDriver drivers en XStream en versiones anteriores a 1.4.9 permiten a atacantes remotos leer archivos arbitrarios a través de un documento XML manipulado. It was found that several XML parsers used by XStream had default settings that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. • http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html http://rhn.redhat.com/errata/RHSA-2016-2822.html http://rhn.redhat.com/errata/RHSA-2016-2823.html http://www.debian.org/security/2016/dsa-3575 http://www.openwall.com/lists/oss-security/2016/03/25/8 http://www.openwall.com/lists/oss-security/2016/03/28/1 http://www.securityfocus.com/bid/85381 http://www.se • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2013-7285 – OpenMRS Reporting Module 0.9.7 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-7285
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. Xstream API versiones hasta la 1.4.6 y versión 1.4.10, Si la security framework no ha sido inicializada, estas vulnerabilidades podrían permitir que un atacante remoto ejecute comandos arbitrarios de shell mediante la manipulación de la secuencia de entrada procesada al desclasificar un XML o cualquier formato compatible. p.ej. JSON. It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. • https://www.exploit-db.com/exploits/39193 http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html http://seclists.org/oss-sec/2014/q1/69 http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org% • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •