CVE-2021-43859 (High) detected in xstream-1.4.5.jar

[mend-for-github-com]

CVE-2021-43859 - High Severity Vulnerability

Vulnerable Library - xstream-1.4.5.jar

XStream is a serialization library from Java objects to XML and back.

Path to dependency file: /webgoat-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/canner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar

Dependency Hierarchy:

• ❌ xstream-1.4.5.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Publish Date: 2022-02-01

URL: CVE-2021-43859

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rmr5-cpv2-vgjf

Release Date: 2022-02-01

Fix Resolution: 1.4.6

---

⛑️ Automatic Remediation is available for this issue