Xstream
CVE-2019-10173
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2,079 maven packages depend on com.thoughtworks.xstream:xstream (279 direct, 1,813 indirect)
Ecosystem-wide dependent count for version 1.4.10.
DescriptionNVD
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
AnalysisAI
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) Affected products include: Xstream, Oracle Banking Platform, Oracle Business Activity Monitoring, Oracle Communications Billing And Revenue Management Elastic Charging Engine, Oracle Communications Diameter Signaling Router. Version information: version 1.4.10.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerabili
XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.9), this vulnerabi
XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi
XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi
XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi
XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi
XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerabi
XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerabi
XStream is software for serializing Java objects to XML and back again. Rated high severity (CVSS 8.8), this vulnerabili
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to ru
XStream is a Java library to serialize objects to XML and back again. Rated high severity (CVSS 8.6), this vulnerability
XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerabili
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today