CVE-2021-43859 (High) detected in xstream-1.4.7.jar, xstream-1.4.9.jar #317
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Status: Needs Triage
CVE-2021-43859 - High Severity Vulnerability
Vulnerable Libraries - xstream-1.4.7.jar, xstream-1.4.9.jar
xstream-1.4.7.jar
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /modules/objectmappers-smooks/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.7/xstream-1.4.7.jar
Dependency Hierarchy:
xstream-1.4.9.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /modules/objectmappers-benchmarks/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.9/xstream-1.4.9.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.9/xstream-1.4.9.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
Publish Date: 2022-02-01
URL: CVE-2021-43859
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rmr5-cpv2-vgjf
Release Date: 2022-02-01
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.19
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: