CVE-2022-41966

XStream Denial of Service via stack overflow

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
RedHat

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-30 CVE Reserved
2022-12-27 CVE Published
2024-07-19 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-121: Stack-based Buffer Overflow
CWE-502: Deserialization of Untrusted Data
CWE-674: Uncontrolled Recursion

CAPEC

References (4)

URL	Tag	Source
https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv	Mitigation

URL	Date	SRC
https://x-stream.github.io/CVE-2022-41966.html	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-41966	2024-03-18
https://bugzilla.redhat.com/show_bug.cgi?id=2170431	2024-03-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xstream Project Search vendor "Xstream Project"		Xstream Search vendor "Xstream Project" for product "Xstream"				< 1.4.20 Search vendor "Xstream Project" for product "Xstream" and version " < 1.4.20"		-		Affected