CVE-2017-7957

EPSS 2.95%
Published 29.04.2017 19:59:00
Last modified 23.05.2025 17:54:30
Source cve@mitre.org
Teams watchlist Login
Open Login

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

Affected products Warnungen 0 Metrics 3 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Fuse Version1.0

Redhat ≫ Jboss Middleware Version1

Xstream ≫ Xstream Version <= 1.4.9

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.95%	0.859

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://access.redhat.com/errata/RHSA-2017:1832

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2888

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2889

Third Party Advisory

http://www.debian.org/security/2017/dsa-3841

Third Party Advisory

Mailing List

http://www.securityfocus.com/bid/100687

Third Party Advisory

Broken Link