CVE-2024-47072— XStream 安全漏洞

XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

栈缓冲区溢出

XStream 安全漏洞

XStream是XStream团队的一个轻量级的、简单易用的开源Java类库，它主要用于将对象序列化成XML（JSON）或反序列化为对象。 XStream存在安全漏洞，该漏洞源于当XStream配置为使用BinaryStreamDriver时，此漏洞可能允许远程攻击者通过操纵已处理的输入流来终止应用程序并导致拒绝服务，从而产生堆栈溢出错误。

N/A

N/A