Uncontrolled Recursion Affecting xstream package, versions <1.4.20-150200.3.25.1


Severity

Recommended
0.0
high
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.8% (82nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES153-XSTREAM-5296490
  • published30 Mar 2023
  • disclosed29 Mar 2023

Introduced: 29 Mar 2023

CVE-2022-41966  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade SLES:15.3 xstream to version 1.4.20-150200.3.25.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xstream package and not the xstream package as distributed by SLES. See How to fix? for SLES:15.3 relevant fixed versions and status.

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

CVSS Scores

version 3.1