Skip to content

pkrajanand/xstream_v1_4_11_security_issues

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

src

src

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

xstream_v1_4_11.iml

xstream_v1_4_11.iml

 
 

Repository files navigation

Overview

This repository contains the junit tests to demonstrate how XStream v1.4.11 respond to the security issues http://x-stream.github.io/CVE-2013-7285.html and http://x-stream.github.io/CVE-2017-7957.html.

Summary on behaviour through v1.4.7 to v1.4.11.1

A way to deal with CVE_2013_7285 is provided through v1.4.7. But issue again is showed up while fixing CVE-2017-7957 in v1.4.10.

So v1.4.11 is released to fix the broken issue.

However, it broke the java runtime environments below JDK 8.0. So, v1.4.11.1 is released to address that.

References

  1. http://x-stream.github.io/
  2. http://x-stream.github.io/security.html
  3. http://x-stream.github.io/changes.html
  4. http://x-stream.github.io/CVE-2017-7957.html
  5. http://x-stream.github.io/CVE-2013-7285.html
  6. x-stream/xstream#73 - An open issue seemed to exist for a long time with HibernateMapper
  7. http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ - blog that details the means to reproduce the violated cases
  8. x-stream/xstream#133 - Issue caused for v1.4.11.1 release

About

To demo security issues specific to xstream v1.4.11. Look at https://github.com/pkrajanand/xstream_v1_4_9_security_issues for v1.4.9 behaviour

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages