[GHSA-3f7h-mf4q-vrm4] XStream Denial of Service due to parser crash

[Tsuesun]

Updates

• Affected products

Comments
This appears to be incorrect and this whole advisory needs to be updated and identify the correct library. I am not familiar enough with this vul to confidently update this whole advisory to be correct.

Link to the issue in woodstox: FasterXML/woodstox#157 (comment)

[darakian]

Hey @Tsuesun, I appreciate the thought but what is wrong exactly? Reading your thread it seems that mend/whitesource has misidentified a CVE. Quoting from your thread here FasterXML/woodstox#157 (comment)

Huh?
https://nvd.nist.gov/vuln/detail/CVE-2022-40151
is for XStream NOT Woodstox.

If you look at our advisory we reference the package com.thoughtworks.xstream:xstream
GHSA-3f7h-mf4q-vrm4

If we've missed something please let me know though 👍

[Tsuesun]

Hi @darakian,

I didn't explain the issue well in my first post. The original researcher attributed the vulnerability to com.thoughtworks.xstream:xstream and the details of that messy thread can be found here: x-stream/xstream#304 (comment)

xtream uses woodstox which is where the vulnerability resides at least to my very limited understanding of the two threads.

In my opinion, this particular CVE has been released preemptively and caused a lot of confusion. I am not sure exactly what the best course of action is but the CVE, as is, is causing a lot of confusion in my org with teams trying to fix it.

And seeing as we are using dependabot, I thought the best place to raise this is with you guys :)

[darakian]

I'm still not sure I understand what's going on here. I've joined the conversation in the x-stream thread and will follow up there 👍

[advisory-database]

Hi @Tsuesun! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!