+
Skip to content

CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream #37360

New issue
New issue
Closed
#37470
Closed
CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream#37360
#37470
Assignees
abstractj
Labels
kind/bugCategorizes a PR related to a bugrelease/24.0.11release/26.0.10release/26.1.3release/26.2.0
Milestone
 
26.2.0
@abstractj

Description

@abstractj
abstractj
opened on Feb 14, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

No response

Describe the bug

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

GHSA-hfq9-hggm-c56q

Version

24.0.10

Regression

  • The issue is a regression

Expected behavior

No CVEs reported for 24.

Actual behavior

CVEs reported for 24.

How to Reproduce?

Switch to 24 branch and check the XStream version.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes a PR related to a bugrelease/24.0.11release/26.0.10release/26.1.3release/26.2.0

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载