CVE-2021-43859

Exploit

EPSS 1.86%
Veröffentlicht 01.02.2022 12:15:08
Zuletzt bearbeitet 03.11.2025 22:15:52
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Denial of Service by injecting highly recursive collections or maps in XStream

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 13

NVD 19 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jenkins ≫ Jenkins Version < 2.319.3

Jenkins ≫ Jenkins Version >= 2.321 < 2.334

Xstream ≫ Xstream Version < 1.4.19

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Debian ≫ Debian Linux Version9.0

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Brm - Elastic Charging Engine Version < 12.0.0.4.6

Oracle ≫ Communications Brm - Elastic Charging Engine Version12.0.0.5.0

Oracle ≫ Communications Cloud Native Core Automated Test Suite Version1.9.0

Oracle ≫ Communications Diameter Intelligence Hub Version >= 8.0.0 <= 8.1.0

Oracle ≫ Communications Diameter Intelligence Hub Version >= 8.2.0 <= 8.2.6

Oracle ≫ Communications Policy Management Version12.6.0.0.0

Oracle ≫ Flexcube Private Banking Version12.1.0

Oracle ≫ Retail Xstore Point Of Service Version16.0.6

Oracle ≫ Retail Xstore Point Of Service Version17.0.4

Oracle ≫ Retail Xstore Point Of Service Version18.0.3

Oracle ≫ Retail Xstore Point Of Service Version19.0.2

Oracle ≫ Retail Xstore Point Of Service Version20.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.86%	0.829

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

http://www.openwall.com/lists/oss-security/2022/02/09/1

Third Party Advisory

Mailing List

https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846

Patch

Third Party Advisory