{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-04-29T00:00:00", "descriptions": [{"lang": "en", "value": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-05T17:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2017:2888", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2888"}, {"name": "RHSA-2017:1832", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1832"}, {"name": "RHSA-2017:2889", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2889"}, {"name": "1039499", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039499"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www-prd-trops.events.ibm.com/node/715749"}, {"name": "xstream-cve20177957-dos(125800)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800"}, {"name": "DSA-3841", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3841"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://x-stream.github.io/CVE-2017-7957.html"}, {"name": "100687", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100687"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7957", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:2888", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2888"}, {"name": "RHSA-2017:1832", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1832"}, {"name": "RHSA-2017:2889", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2889"}, {"name": "1039499", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039499"}, {"name": "https://www-prd-trops.events.ibm.com/node/715749", "refsource": "CONFIRM", "url": "https://www-prd-trops.events.ibm.com/node/715749"}, {"name": "xstream-cve20177957-dos(125800)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800"}, {"name": "DSA-3841", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3841"}, {"name": "http://x-stream.github.io/CVE-2017-7957.html", "refsource": "CONFIRM", "url": "http://x-stream.github.io/CVE-2017-7957.html"}, {"name": "100687", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100687"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:19:29.479Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:2888", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2888"}, {"name": "RHSA-2017:1832", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1832"}, {"name": "RHSA-2017:2889", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2889"}, {"name": "1039499", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1039499"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www-prd-trops.events.ibm.com/node/715749"}, {"name": "xstream-cve20177957-dos(125800)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800"}, {"name": "DSA-3841", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3841"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://x-stream.github.io/CVE-2017-7957.html"}, {"name": "100687", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100687"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7957", "datePublished": "2017-04-29T19:00:00", "dateReserved": "2017-04-19T00:00:00", "dateUpdated": "2024-08-05T16:19:29.479Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*", "matchCriteriaId": "09F03F13-9D82-4AC4-805E-330346A0A37A", "versionEndIncluding": "1.4.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call."}, {"lang": "es", "value": "XStream a trav\u00e9s de 1.4.9, cuando no se utiliza una soluci\u00f3n de denyTypes, mishandles intenta crear una instancia del tipo primitivo 'void' durante unmarshalling, dando lugar a un fallo de aplicaci\u00f3n remota, como lo demuestra una llamda a xstream.fromXML (\" > \")."}], "id": "CVE-2017-7957", "lastModified": "2019-03-26T17:15:49.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-29T19:59:00.167", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2017/dsa-3841"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100687"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039499"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://x-stream.github.io/CVE-2017-7957.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1832"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2888"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2889"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://www-prd-trops.events.ibm.com/node/715749"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:1832", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "package": "camel", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2017-08-10T00:00:00Z"}, {"advisory": "RHSA-2017:2889", "cpe": "cpe:/a:redhat:jboss_bpms:6.4", "product_name": "Red Hat JBoss BPMS 6.4", "release_date": "2017-10-12T00:00:00Z"}, {"advisory": "RHSA-2017:2888", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", "package": "xstream", "product_name": "Red Hat JBoss BRMS 6.4", "release_date": "2017-10-12T00:00:00Z"}, {"advisory": "RHSA-2017:1832", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "camel", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2017-08-10T00:00:00Z"}], "bugzilla": {"description": "XStream: DoS when unmarshalling void type", "id": "1441538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441538"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system."], "name": "CVE-2017-7957", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Affected", "package_name": "xstream", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "xstream", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_linux:7::hypervisor", "fix_state": "Under investigation", "package_name": "jasperreports-server-pro", "product_name": "Red Hat Enterprise Virtualization 3"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Affected", "package_name": "camel", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Will not fix", "package_name": "xstream", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Affected", "package_name": "xstream", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Will not fix", "package_name": "xstream", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Will not fix", "package_name": "xstream", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "xstream", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "xstream", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "xstream", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "impact": "low", "package_name": "xstream", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2017-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7957\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7957\nhttp://x-stream.github.io/CVE-2017-7957.html"], "threat_severity": "Moderate"}