Description

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object.

XStream is a simple library to serialize objects to XML and back again.

It was determined that your web application performs deserialization of user-supplied data using the Xstream library and is vulnerable to one of the following vulnerabilities:

  • CVE-2013-7285: XStream can be used for Remote Code Execution.
  • CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
  • CVE-2020-26217: XStream can be used for Remote Code Execution.

Remediation

Upgrade to the latest version of XStream to fix this issue.

References

Deserialization of untrusted data

CVE-2013-7285

CVE-2020-26258

CVE-2020-26217

About XStream

Related Vulnerabilities

XML external entity injection (variant)

File upload XSS (Java applet)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2021-21347)

Unrestricted file upload vulnerability in ofc_upload_image.php

Deserialization of Untrusted Data (Java JSON Deserialization) Genson

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Acumonitor Insecure Deserialization