This repository contains the junit tests to demonstrate how XStream v1.4.11 respond to the security issues http://x-stream.github.io/CVE-2013-7285.html and http://x-stream.github.io/CVE-2017-7957.html.
A way to deal with CVE_2013_7285 is provided through v1.4.7. But issue again is showed up while fixing CVE-2017-7957 in v1.4.10.
So v1.4.11 is released to fix the broken issue.
However, it broke the java runtime environments below JDK 8.0. So, v1.4.11.1 is released to address that.
- http://x-stream.github.io/
- http://x-stream.github.io/security.html
- http://x-stream.github.io/changes.html
- http://x-stream.github.io/CVE-2017-7957.html
- http://x-stream.github.io/CVE-2013-7285.html
- x-stream/xstream#73 - An open issue seemed to exist for a long time with HibernateMapper
- http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ - blog that details the means to reproduce the violated cases
- x-stream/xstream#133 - Issue caused for v1.4.11.1 release