CVE-2017-7957
XStream: DoS when unmarshalling void type
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
XStream a través de 1.4.9, cuando no se utiliza una solución de denyTypes, mishandles intenta crear una instancia del tipo primitivo 'void' durante unmarshalling, dando lugar a un fallo de aplicación remota, como lo demuestra una llamda a xstream.fromXML (" > ").
It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-04-19 CVE Reserved
- 2017-04-29 CVE Published
- 2024-08-05 CVE Updated
- 2024-10-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (10)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/100687 | Third Party Advisory | |
http://www.securitytracker.com/id/1039499 | Third Party Advisory | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/125800 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.debian.org/security/2017/dsa-3841 | 2019-03-26 | |
http://x-stream.github.io/CVE-2017-7957.html | 2019-03-26 | |
https://access.redhat.com/errata/RHSA-2017:1832 | 2019-03-26 | |
https://access.redhat.com/errata/RHSA-2017:2888 | 2019-03-26 | |
https://access.redhat.com/errata/RHSA-2017:2889 | 2019-03-26 | |
https://access.redhat.com/security/cve/CVE-2017-7957 | 2017-10-12 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1441538 | 2017-10-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Xstream Project Search vendor "Xstream Project" | Xstream Search vendor "Xstream Project" for product "Xstream" | <= 1.4.9 Search vendor "Xstream Project" for product "Xstream" and version " <= 1.4.9" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
|