CVE-2024-47072 – XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
https://notcve.org/view.php?id=CVE-2024-47072
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. • https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266 https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q https://x-stream.github.io/CVE-2024-47072.html https://access.redhat.com/security/cve/CVE-2024-47072 https://bugzilla.redhat.com/show_bug.cgi?id=2324606 • CWE-121: Stack-based Buffer Overflow CWE-502: Deserialization of Untrusted Data •
CVE-2022-41966 – XStream Denial of Service via stack overflow
https://notcve.org/view.php?id=CVE-2022-41966
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. • https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv https://x-stream.github.io/CVE-2022-41966.html https://access.redhat.com/security/cve/CVE-2022-41966 https://bugzilla.redhat.com/show_bug.cgi?id=2170431 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow CWE-502: Deserialization of Untrusted Data CWE-674: Uncontrolled Recursion •
CVE-2022-40152 – Stack Buffer Overflow in Woodstox
https://notcve.org/view.php?id=CVE-2022-40152
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. Los que usan Xstream para seralizar datos XML pueden ser vulnerables a ataques de Denegación de Servicio (DOS). Si el analizador es ejecutado con la entrada suministrada por el usuario, un atacante puede suministrar contenido que cause el bloqueo del analizador por desbordamiento de pila. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434 https://github.com/x-stream/xstream/issues/304 https://access.redhat.com/security/cve/CVE-2022-40152 https://bugzilla.redhat.com/show_bug.cgi?id=2134291 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2022-40151 – Stack Buffer Overflow in xstream
https://notcve.org/view.php?id=CVE-2022-40151
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. Los que usan Xstream para seralizar datos XML pueden ser vulnerables a ataques de Denegación de Servicio (DOS). Si el analizador es ejecutado con la entrada suministrada por el usuario, un atacante puede suministrar contenido que cause el bloqueo del analizador por desbordamiento de pila. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367 https://github.com/x-stream/xstream/issues/304 https://access.redhat.com/security/cve/CVE-2022-40151 https://bugzilla.redhat.com/show_bug.cgi?id=2134292 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2021-43859 – Denial of Service by injecting highly recursive collections or maps in XStream
https://notcve.org/view.php?id=CVE-2021-43859
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. • http://www.openwall.com/lists/oss-security/2022/02/09/1 https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846 https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X& • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •