XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights

Impact The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the...

A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host

Impact The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a...

GHSA-2P3X-QW9C-25HH XStream can cause a Denial of Service.

Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation ...

XStream can cause a Denial of Service.

Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation ...

PT-2021-5333 · Xstream +4 · Xstream +4

Name of the Vulnerable Software and Affected Versions: XStream versions prior to 1.4.16 Description: The issue is related to the deserialization mechanism in the XStream Java library, which is used for converting objects to XML or JSON formats. An attacker can exploit this by manipulating the inp...

PT-2021-4767 · Xstream +4 · Xstream +4

Name of the Vulnerable Software and Affected Versions: XStream versions prior to 1.4.16 Description: The issue is related to the XStream Java library, which is used to serialize objects to XML and back again. A vulnerability may allow a remote attacker to request data from internal resources that...

PT-2021-4787 · Xstream +6 · Xstream +6

Name of the Vulnerable Software and Affected Versions: XStream versions prior to 1.4.16 Description: The issue concerns a Java library used to serialize objects to XML and back again. It may allow a remote attacker to execute arbitrary code by manipulating the processed input stream. Users who se...

PT-2021-4766 · Xstream +5 · Xstream +5

Name of the Vulnerable Software and Affected Versions: XStream versions prior to 1.4.16 Description: The issue concerns a Java library used for serializing objects to XML and back. It may allow a remote attacker to occupy a thread, causing it to consume maximum CPU time and never return. Users wh...

USN-4740-1: Apache Shiro vulnerabilities

It was discovered that Apache Shiro mishandled specially crafted requests. An attacker could use this vulnerability to bypass authentication mechanisms...

OESA-2021-1015 xstream security update

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2021 CPU)

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021 Critical Patch Update CPU. It is, therefore, affected by the following vulnerabilities : - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware...

Amazon Linux 2 : xstream (ALAS-2021-1593)

The version of xstream installed on the remote host is prior to 1.3.1-12. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1593 advisory. A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list,...

Exploit for Server-Side Request Forgery in Apache Struts

Description XStream is a Java library to serialize objects t...

GHSA-4CCH-WXPW-8P28 Server-Side Forgery Request can be activated unmarshalling with XStream

Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15...

Server-Side Forgery Request can be activated unmarshalling with XStream

Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15...

XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling

Impact The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use...

GHSA-JFVX-7WRX-43FH XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling

Impact The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use...

CVE-2020-26259

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executin...

Arbitrary File Deletion

xstream is vulnerable to arbitrary file deletion. XStream's default blacklist of the Security Framework does not blacklist the internal JAX-WS type ReadAllStream.FileStream and therefore, allows the deserialization of XML containing those untrusted type, subsequently leading to an arbitrary file...

CVE-2020-26259

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executin...