CVE-2024-47072
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-09-17 CVE Reserved
- 2024-11-07 CVE Published
- 2024-11-08 CVE Updated
- 2024-11-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-121: Stack-based Buffer Overflow
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266 | X_refsource_misc | |
| https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q | X_refsource_confirm | |
| https://x-stream.github.io/CVE-2024-47072.html | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|