Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: remote code execution via deserialization in XStream
From: David Jorm <djorm () redhat com>
Date: Fri, 10 Jan 2014 07:33:43 +1000

Hi All

As per the following email thread on the xstream-dev list:

http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3

Dinis Cruz et. al. have reported a remote code execution flaw in XStream's XML deserialization. A PoC exploit is available here:

http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

An initial patch has been committed, adding a whitelist that limits deserialization to specified types:

https://fisheye.codehaus.org/changelog/xstream?cs=2210

Please assign a CVE ID to this issue.

Thanks
--
David Jorm / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]