7.5
CVSSv3

CVE-2021-43859

Published: 01/02/2022 Updated: 09/08/2022
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

XStream is an open source java library to serialize objects to XML and back again. Versions before 1.4.19 may allow a remote malicious user to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xstream project xstream

fedoraproject fedora 34

fedoraproject fedora 35

debian debian linux 9.0

oracle flexcube private banking 12.1.0

oracle commerce guided search 11.3.2

oracle retail xstore point of service 16.0.6

oracle retail xstore point of service 17.0.4

oracle retail xstore point of service 18.0.3

oracle retail xstore point of service 19.0.2

oracle retail xstore point of service 20.0.1

oracle communications cloud native core automated test suite 1.9.0

oracle communications policy management 12.6.0.0.0

oracle communications diameter intelligence hub

oracle communications brm - elastic charging engine 12.0.0.5.0

oracle communications brm - elastic charging engine

Vendor Advisories

XStream is an open source java library to serialize objects to XML and back again Versions prior to 1419 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream XStream 1419 monitors ...
Synopsis Moderate: Red Hat Integration Camel Extensions for Quarkus 27 security update Type/Severity Security Advisory: Moderate Topic Red Hat Integration Camel Extensions for Quarkus 27 is now available The purpose of this text-only errata is to inform you about the security issues fixedRed Hat Product Security has rated this update as h ...
Synopsis Important: OpenShift Container Platform 311665 security and bug fix update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Red Hat OpenShift Container Platform release 311665 is now available withupdates to p ...
Synopsis Important: Red Hat Fuse 7110 release and security update Type/Severity Security Advisory: Important Topic A minor version update (from 710 to 711) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security has rated this update ...

Mailing Lists

Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software The following releases contain fixes for security vulnerabilities: * Jenkins 2334 * Jenkins LTS 23193 Summaries of the vulnerabilities are below More details, severity, and attribution can be found here: ...