Home page logo

oss-sec logo oss-sec mailing list archives

CVE request: remote code execution via deserialization in XStream
From: David Jorm <djorm () redhat com>
Date: Fri, 10 Jan 2014 07:33:43 +1000

Hi All

As per the following email thread on the xstream-dev list:


Dinis Cruz et. al. have reported a remote code execution flaw in XStream's XML deserialization. A PoC exploit is available here:


An initial patch has been committed, adding a whitelist that limits deserialization to specified types:


Please assign a CVE ID to this issue.

David Jorm / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]