CVE-2022-41966

CWE-120Classic Buffer OverflowCWE-121Stack-based Buffer OverflowCWE-502Deserialization of Untrusted DataCWE-674Uncontrolled RecursionCWE-770Allocation without Limits12 documents9 sources
Severity
7.5HIGH
EPSS
2.4%
top 15.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
X-stream XstreamXstream Xstream
Timeline
PublishedDec 28
Latest updateJul 16

Description

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException inste

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages4 packages

Debianlibxstream-java< 1.4.15-3+deb11u2+3
NVDxstream/xstream< 1.4.20
CVEListV5x-stream/xstream< 1.4.20

🔴Vulnerability Details

4
GHSA
XStream can cause Denial of Service via stack overflow2022-12-29
OSV
XStream can cause Denial of Service via stack overflow2022-12-29
OSV
CVE-2022-41966: XStream serializes Java objects to XML and back again2022-12-28
CVEList
XStream Denial of Service via stack overflow2022-12-27

📋Vendor Advisories

7
Atlassian
CVE-2022-41966: DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Service Management Data Center and Server2024-07-16
Oracle
Oracle Oracle Commerce Risk Matrix: Endeca Application Controller (XStream) — CVE-2022-419662023-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Pricing Updater (XStream) — CVE-2022-419662023-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security Component (XStream) — CVE-2022-419662023-04-15
Ubuntu
XStream vulnerabilities2023-03-13