CVE-2021-43859

 

Published at: - 01-02-2022 01:15

Last modified: - 09-08-2022 02:40

Total changes: - 10

Description

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

Verification logic

 

Reference

• https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
• https://x-stream.github.io/CVE-2021-43859.html
• https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
• [oss-security] 20220209 Vulnerability in Jenkins-Mailing List, Third Party Advisory
• FEDORA-2022-ad5cf1c0dd-Mailing List, Third Party Advisory
• FEDORA-2022-983a78275c-Mailing List, Third Party Advisory
• [debian-lts-announce] 20220215 [SECURITY] [DLA 2924-1] libxstream-java security update-Mailing List, Third Party Advisory
• https://www.oracle.com/security-alerts/cpuapr2022.html
• N/A-Patch, Third Party Advisory

 

Keywords

NVD

 

CVE-2021-43859

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures