CVE-2017-7957

EPSS 2.95%
Veröffentlicht 29.04.2017 19:59:00
Zuletzt bearbeitet 23.05.2025 17:54:30
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Fuse Version1.0

Redhat ≫ Jboss Middleware Version1

Xstream ≫ Xstream Version <= 1.4.9

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.95%	0.859

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://access.redhat.com/errata/RHSA-2017:1832

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2888

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2889

Third Party Advisory

http://www.debian.org/security/2017/dsa-3841

Third Party Advisory

Mailing List

http://www.securityfocus.com/bid/100687

Third Party Advisory

Broken Link