CVE-2017-7957: Denial of service in XStream
(updated )
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type ‘void’ during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.
References
- access.redhat.com/errata/RHSA-2017:1832
- access.redhat.com/errata/RHSA-2017:2888
- access.redhat.com/errata/RHSA-2017:2889
- exchange.xforce.ibmcloud.com/vulnerabilities/125800
- github.com/advisories/GHSA-7hwc-46rm-65jh
- github.com/x-stream/xstream
- github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab
- github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d
- github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4
- nvd.nist.gov/vuln/detail/CVE-2017-7957
- www-prd-trops.events.ibm.com/node/715749
Code Behaviors & Features
Detect and mitigate CVE-2017-7957 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →