CVE-2017-7957 Information

Feb 14, 2021 cve

Description

XStream through 1.4.9 when a certain denyTypes workaround is not used mishandles attempts to create an instance of the primitive type ‘void’ during unmarshalling leading to a remote application crash as demonstrated by an xstream.fromXML(\void/) call.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

http://www.debian.org/security/2017/dsa-3841 http://www.securityfocus.com/bid/100687 http://www.securitytracker.com/id/1039499 http://x-stream.github.io/CVE-2017-7957.html https://access.redhat.com/errata/RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:2888 https://access.redhat.com/errata/RHSA-2017:2889 https://exchange.xforce.ibmcloud.com/vulnerabilities/125800 https://www-prd-trops.events.ibm.com/node/715749

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5

Share on: