Maven package
com.thoughtworks.xstream/xstream
pkg:maven/com.thoughtworks.xstream/xstream
Vulnerabilities (37)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21349 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stre | ||
| CVE-2021-21350 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the reco | ||
| CVE-2021-21351 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, | ||
| CVE-2021-21341 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting | ||
| CVE-2021-21342 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new inst | ||
| CVE-2021-21343 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new inst | ||
| CVE-2021-21344 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff | ||
| CVE-2021-21345 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is | ||
| CVE-2021-21346 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff | ||
| CVE-2021-21347 | — | < 1.4.16 | 1.4.16 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff | ||
| CVE-2020-26258 | — | < 1.4.15 | 1.4.15 | Dec 16, 2020 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are | ||
| CVE-2020-26259 | — | < 1.4.15 | 1.4.15 | Dec 16, 2020 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as lo | ||
| CVE-2020-26217 | — | < 1.4.14-java7 | 1.4.14-java7 | Nov 16, 2020 | XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Fram | ||
| CVE-2019-10173 | — | >= 1.4.10, < 1.4.11 | 1.4.11 | Jul 23, 2019 | It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported forma | ||
| CVE-2013-7285 | — | < 1.4.7 | 1.4.7 | May 15, 2019 | Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. | ||
| CVE-2017-7957 | — | < 1.4.10 | 1.4.10 | Apr 29, 2017 | XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. | ||
| CVE-2016-3674 | — | < 1.4.9 | 1.4.9 | May 17, 2016 | Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML |
- CVE-2021-21349Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stre
- CVE-2021-21350Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the reco
- CVE-2021-21351Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected,
- CVE-2021-21341Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting
- CVE-2021-21342Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new inst
- CVE-2021-21343Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new inst
- CVE-2021-21344Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff
- CVE-2021-21345Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is
- CVE-2021-21346Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff
- CVE-2021-21347Mar 22, 2021affected < 1.4.16fixed 1.4.16
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff
- CVE-2020-26258Dec 16, 2020affected < 1.4.15fixed 1.4.15
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are
- CVE-2020-26259Dec 16, 2020affected < 1.4.15fixed 1.4.15
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as lo
- CVE-2020-26217Nov 16, 2020affected < 1.4.14-java7fixed 1.4.14-java7
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Fram
- CVE-2019-10173Jul 23, 2019affected >= 1.4.10, < 1.4.11fixed 1.4.11
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported forma
- CVE-2013-7285May 15, 2019affected < 1.4.7fixed 1.4.7
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
- CVE-2017-7957Apr 29, 2017affected < 1.4.10fixed 1.4.10
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.
- CVE-2016-3674May 17, 2016affected < 1.4.9fixed 1.4.9
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML
Page 2 of 2