oss-sec mailing list archives
CVE request: remote code execution via deserialization in XStream
From: David Jorm <djorm () redhat com>
Date: Fri, 10 Jan 2014 07:33:43 +1000
Hi All As per the following email thread on the xstream-dev list: http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3Dinis Cruz et. al. have reported a remote code execution flaw in XStream's XML deserialization. A PoC exploit is available here:
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.htmlAn initial patch has been committed, adding a whitelist that limits deserialization to specified types:
https://fisheye.codehaus.org/changelog/xstream?cs=2210 Please assign a CVE ID to this issue. Thanks -- David Jorm / Red Hat Security Response Team
Current thread:
- CVE request: remote code execution via deserialization in XStream David Jorm (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream cve-assign (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream David Jorm (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream cve-assign (Jan 09)