XStream up to and including 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
xstream project xstream |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |