{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47072", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-17T17:42:37.029Z", "datePublished": "2024-11-07T23:38:52.978Z", "dateUpdated": "2024-11-08T15:20:08.949Z"}, "containers": {"cna": {"title": "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q"}, {"name": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", "tags": ["x_refsource_MISC"], "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"}, {"name": "https://x-stream.github.io/CVE-2024-47072.html", "tags": ["x_refsource_MISC"], "url": "https://x-stream.github.io/CVE-2024-47072.html"}], "affected": [{"vendor": "x-stream", "product": "xstream", "versions": [{"version": "< 1.4.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-07T23:38:52.978Z"}, "descriptions": [{"lang": "en", "value": "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver."}], "source": {"advisory": "GHSA-hfq9-hggm-c56q", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "x-stream", "product": "x-stream", "cpes": ["cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.4.21", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-08T15:17:42.864003Z", "id": "CVE-2024-47072", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T15:20:08.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-08T15:17:42.864003Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*"], "vendor": "x-stream", "product": "x-stream", "versions": [{"status": "affected", "version": "0", "lessThan": "1.4.21", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T15:19:32.931Z"}}], "cna": {"title": "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", "source": {"advisory": "GHSA-hfq9-hggm-c56q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "x-stream", "product": "xstream", "versions": [{"status": "affected", "version": "< 1.4.21"}]}], "references": [{"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", "name": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", "tags": ["x_refsource_MISC"]}, {"url": "https://x-stream.github.io/CVE-2024-47072.html", "name": "https://x-stream.github.io/CVE-2024-47072.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-07T23:38:52.978Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47072", "state": "PUBLISHED", "dateUpdated": "2024-11-08T15:20:08.949Z", "dateReserved": "2024-09-17T17:42:37.029Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-07T23:38:52.978Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver."}, {"lang": "es", "value": "XStream es una librer\u00eda sencilla para serializar objetos en formato XML y viceversa. Esta vulnerabilidad puede permitir que un atacante remoto finalice la aplicaci\u00f3n con un error de desbordamiento de pila que resulte en una denegaci\u00f3n de servicio solo al manipular el flujo de entrada procesado cuando XStream est\u00e1 configurado para usar BinaryStreamDriver. Se ha aplicado un parche a XStream 1.4.21 para detectar la manipulaci\u00f3n en el flujo de entrada binario que causa el desbordamiento de pila y genera una InputManipulationException en su lugar. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden detectar el StackOverflowError en el c\u00f3digo del cliente que llama a XStream si XStream est\u00e1 configurado para usar BinaryStreamDriver."}], "id": "CVE-2024-47072", "lastModified": "2024-11-08T19:01:03.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-08T00:15:14.937", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"}, {"source": "security-advisories@github.com", "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q"}, {"source": "security-advisories@github.com", "url": "https://x-stream.github.io/CVE-2024-47072.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", "id": "2324606", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324606"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-121|CWE-502)", "details": ["XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.", "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-47072", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Quarkus Native builder"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "streams for Apache Kafka"}], "public_date": "2024-11-07T23:38:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47072\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47072\nhttps://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266\nhttps://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q\nhttps://x-stream.github.io/CVE-2024-47072.html"], "statement": "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability\u2019s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", "threat_severity": "Important"}