CVE-2024-47072 - Vulnerability Details

CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat	Jboss Data Grid Ocp Tools
X-stream	X-stream

No data.

Package	CPE	Advisory	Released Date
OCP-Tools-4.12-RHEL-8
jenkins-0:2.479.3.1740464431-3.el8	cpe:/a:redhat:ocp_tools:4.12::el8	RHSA-2025:2223	2025-03-04T00:00:00Z
jenkins-2-plugins-0:4.12.1740464689-1.el8	cpe:/a:redhat:ocp_tools:4.12::el8	RHSA-2025:2223	2025-03-04T00:00:00Z
OCP-Tools-4.13-RHEL-8
jenkins-0:2.479.3.1740464433-3.el8	cpe:/a:redhat:ocp_tools:4.13::el8	RHSA-2025:2222	2025-03-04T00:00:00Z
jenkins-2-plugins-0:4.13.1740464698-1.el8	cpe:/a:redhat:ocp_tools:4.13::el8	RHSA-2025:2222	2025-03-04T00:00:00Z
OCP-Tools-4.14-RHEL-8
jenkins-0:2.479.3.1740109575-3.el8	cpe:/a:redhat:ocp_tools:4.14::el8	RHSA-2025:2221	2025-03-04T00:00:00Z
jenkins-2-plugins-0:4.14.1740109868-1.el8	cpe:/a:redhat:ocp_tools:4.14::el8	RHSA-2025:2221	2025-03-04T00:00:00Z
OCP-Tools-4.15-RHEL-8
jenkins-0:2.479.3.1740051993-3.el8	cpe:/a:redhat:ocp_tools:4.15::el8	RHSA-2025:2220	2025-03-04T00:00:00Z
jenkins-2-plugins-0:4.15.1740052174-1.el8	cpe:/a:redhat:ocp_tools:4.15::el8	RHSA-2025:2220	2025-03-04T00:00:00Z
OCP-Tools-4.16-RHEL-9
jenkins-0:2.479.3.1739896390-3.el9	cpe:/a:redhat:ocp_tools:4.16::el9	RHSA-2025:2219	2025-03-04T00:00:00Z
jenkins-2-plugins-0:4.16.1739896683-1.el9	cpe:/a:redhat:ocp_tools:4.16::el9	RHSA-2025:2219	2025-03-04T00:00:00Z
OCP-Tools-4.17-RHEL-9
jenkins-0:2.479.3.1739859586-3.el9	cpe:/a:redhat:ocp_tools:4.17::el9	RHSA-2025:2218	2025-03-04T00:00:00Z
jenkins-2-plugins-0:4.17.1739859908-1.el9	cpe:/a:redhat:ocp_tools:4.17::el9	RHSA-2025:2218	2025-03-04T00:00:00Z
Red Hat Data Grid
com.thoughtworks.xstream/xstream	cpe:/a:redhat:jboss_data_grid:8	RHSA-2024:10214	2024-11-25T00:00:00Z

References

Link	Providers
https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
https://nvd.nist.gov/vuln/detail/CVE-2024-47072
https://www.cve.org/CVERecord?id=CVE-2024-47072
https://x-stream.github.io/CVE-2024-47072.html

History

Wed, 05 Mar 2025 04:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat ocp Tools
CPEs		cpe:/a:redhat:ocp_tools:4.12::el8 cpe:/a:redhat:ocp_tools:4.13::el8 cpe:/a:redhat:ocp_tools:4.14::el8 cpe:/a:redhat:ocp_tools:4.15::el8 cpe:/a:redhat:ocp_tools:4.16::el9 cpe:/a:redhat:ocp_tools:4.17::el9
Vendors & Products		Redhat ocp Tools

Tue, 26 Nov 2024 06:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat jboss Data Grid
CPEs		cpe:/a:redhat:jboss_data_grid:8
Vendors & Products		Redhat Redhat jboss Data Grid

Sat, 09 Nov 2024 01:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-47072 https://www.cve.org/CVERecord?id=CVE-2024-47072
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 08 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		X-stream X-stream x-stream
CPEs		cpe:2.3:a:x-stream:x-stream::::::::
Vendors & Products		X-stream X-stream x-stream
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 Nov 2024 00:00:00 +0000

Type	Values Removed	Values Added
Description		XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
Title		XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
Weaknesses		CWE-121 CWE-502
References		https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266 https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q https://x-stream.github.io/CVE-2024-47072.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-07T23:38:52.978Z

Updated: 2024-11-08T15:20:08.949Z

Reserved: 2024-09-17T17:42:37.029Z

Link: CVE-2024-47072

Vulnrichment

Updated: 2024-11-08T15:19:32.931Z

NVD

Status : Awaiting Analysis

Published: 2024-11-08T00:15:14.937

Modified: 2024-11-08T19:01:03.880

Link: CVE-2024-47072

Redhat

Severity : Important

Publid Date: 2024-11-07T23:38:52Z

Links: CVE-2024-47072 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47072", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-17T17:42:37.029Z", "datePublished": "2024-11-07T23:38:52.978Z", "dateUpdated": "2024-11-08T15:20:08.949Z"}, "containers": {"cna": {"title": "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q"}, {"name": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", "tags": ["x_refsource_MISC"], "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"}, {"name": "https://x-stream.github.io/CVE-2024-47072.html", "tags": ["x_refsource_MISC"], "url": "https://x-stream.github.io/CVE-2024-47072.html"}], "affected": [{"vendor": "x-stream", "product": "xstream", "versions": [{"version": "< 1.4.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-07T23:38:52.978Z"}, "descriptions": [{"lang": "en", "value": "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver."}], "source": {"advisory": "GHSA-hfq9-hggm-c56q", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "x-stream", "product": "x-stream", "cpes": ["cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.4.21", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-08T15:17:42.864003Z", "id": "CVE-2024-47072", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T15:20:08.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-08T15:17:42.864003Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*"], "vendor": "x-stream", "product": "x-stream", "versions": [{"status": "affected", "version": "0", "lessThan": "1.4.21", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T15:19:32.931Z"}}], "cna": {"title": "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", "source": {"advisory": "GHSA-hfq9-hggm-c56q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "x-stream", "product": "xstream", "versions": [{"status": "affected", "version": "< 1.4.21"}]}], "references": [{"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", "name": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", "tags": ["x_refsource_MISC"]}, {"url": "https://x-stream.github.io/CVE-2024-47072.html", "name": "https://x-stream.github.io/CVE-2024-47072.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-07T23:38:52.978Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47072", "state": "PUBLISHED", "dateUpdated": "2024-11-08T15:20:08.949Z", "dateReserved": "2024-09-17T17:42:37.029Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-07T23:38:52.978Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver."}, {"lang": "es", "value": "XStream es una librer\u00eda sencilla para serializar objetos en formato XML y viceversa. Esta vulnerabilidad puede permitir que un atacante remoto finalice la aplicaci\u00f3n con un error de desbordamiento de pila que resulte en una denegaci\u00f3n de servicio solo al manipular el flujo de entrada procesado cuando XStream est\u00e1 configurado para usar BinaryStreamDriver. Se ha aplicado un parche a XStream 1.4.21 para detectar la manipulaci\u00f3n en el flujo de entrada binario que causa el desbordamiento de pila y genera una InputManipulationException en su lugar. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden detectar el StackOverflowError en el c\u00f3digo del cliente que llama a XStream si XStream est\u00e1 configurado para usar BinaryStreamDriver."}], "id": "CVE-2024-47072", "lastModified": "2024-11-08T19:01:03.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-08T00:15:14.937", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"}, {"source": "security-advisories@github.com", "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q"}, {"source": "security-advisories@github.com", "url": "https://x-stream.github.io/CVE-2024-47072.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:2223", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-0:2.479.3.1740464431-3.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2223", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1740464689-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2222", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-0:2.479.3.1740464433-3.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2222", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1740464698-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2221", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-0:2.479.3.1740109575-3.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2221", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1740109868-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2220", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-0:2.479.3.1740051993-3.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2220", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-2-plugins-0:4.15.1740052174-1.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2219", "cpe": "cpe:/a:redhat:ocp_tools:4.16::el9", "package": "jenkins-0:2.479.3.1739896390-3.el9", "product_name": "OCP-Tools-4.16-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2219", "cpe": "cpe:/a:redhat:ocp_tools:4.16::el9", "package": "jenkins-2-plugins-0:4.16.1739896683-1.el9", "product_name": "OCP-Tools-4.16-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2218", "cpe": "cpe:/a:redhat:ocp_tools:4.17::el9", "package": "jenkins-0:2.479.3.1739859586-3.el9", "product_name": "OCP-Tools-4.17-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2218", "cpe": "cpe:/a:redhat:ocp_tools:4.17::el9", "package": "jenkins-2-plugins-0:4.17.1739859908-1.el9", "product_name": "OCP-Tools-4.17-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2024:10214", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Data Grid", "release_date": "2024-11-25T00:00:00Z"}], "bugzilla": {"description": "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", "id": "2324606", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324606"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "(CWE-121|CWE-502)", "details": ["XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.", "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-47072", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat build of Quarkus Native builder"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "com.thoughtworks.xstream/xstream", "product_name": "streams for Apache Kafka"}], "public_date": "2024-11-07T23:38:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47072\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47072\nhttps://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266\nhttps://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q\nhttps://x-stream.github.io/CVE-2024-47072.html"], "statement": "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability\u2019s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object