Lucene search

[email protected]CVE-2022-40151

HistorySep 16, 2022 - 10:15 a.m.

CVE-2022-40151

2022-09-1610:15:09

CWE-121

CWE-787

[email protected]

web.nvd.nist.gov

117

cve

2022

40151

xstream

xml data

denial of service

dos

vulnerability

parser

stackoverflow

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

82.2%

JSON

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Affected configurations

Vulners

NVD

Node

xstreamxstreamRange≤1.4.19

CPENameOperatorVersion
xstream_project:xstreamxstream project xstreamle1.4.19

CPE	Name	Operator	Version
xstream_project:xstream	xstream project xstream	le	1.4.19

CNA Affected

[
  {
    "product": "xstream",
    "vendor": "xstream",
    "versions": [
      {
        "lessThanOrEqual": "1.4.19",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]