XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
History

Tue, 26 Nov 2024 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat jboss Data Grid
CPEs cpe:/a:redhat:jboss_data_grid:8
Vendors & Products Redhat
Redhat jboss Data Grid

Sat, 09 Nov 2024 01:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 08 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared X-stream
X-stream x-stream
CPEs cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*
Vendors & Products X-stream
X-stream x-stream
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 08 Nov 2024 00:00:00 +0000

Type Values Removed Values Added
Description XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
Title XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
Weaknesses CWE-121
CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-07T23:38:52.978Z

Updated: 2024-11-08T15:20:08.949Z

Reserved: 2024-09-17T17:42:37.029Z

Link: CVE-2024-47072

cve-icon Vulnrichment

Updated: 2024-11-08T15:19:32.931Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-08T00:15:14.937

Modified: 2024-11-08T19:01:03.880

Link: CVE-2024-47072

cve-icon Redhat

Severity : Important

Publid Date: 2024-11-07T23:38:52Z

Links: CVE-2024-47072 - Bugzilla