CVE-2022-40151

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Published: Sep 16, 2022
Updated: May 9, 2024
CVE: CVE-2022-40151
GHSA: GHSA-f8cc-g7j8-xxpm
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-121
CWE-787
CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
com.thoughtworks.xstream / xstream	-	1.4.20
xstream / xstream	-	1.4.20

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
https://github.com/x-stream/xstream/issues/304
https://github.com/x-stream/xstream/issues/314
https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm
https://x-stream.github.io/CVE-2022-40151.html

Vulnerability Database

289,599

CVE-2022-40151