XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3625 advisory.

  - xstream: Denial of Service by injecting recursive collections or maps based on element's hash values     raising a stack overflow (CVE-2022-41966)

  - springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  - jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

  - jenkins-2-plugin: email-ext: Missing permission check in Email Extension Plugin (CVE-2023-32979)

  - jenkins-2-plugin: email-ext: CSRF vulnerability in Email Extension Plugin (CVE-2023-32980)

  - jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility     Steps Plugin (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3663 advisory.

  - http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

  - springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)

  - jettison: parser crash by stackoverflow (CVE-2022-40149)

  - jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

  - xstream: Denial of Service by injecting recursive collections or maps based on element's hash values     raising a stack overflow (CVE-2022-41966)

  - jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

  - jackson-databind: use of deeply nested arrays (CVE-2022-42004)

  - json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)     (CVE-2023-1370)

  - jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

  - springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  - log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)

  - Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)

  - Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)

  - Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

  - Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

  - jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

  - jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility     Steps Plugin (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3625 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

  - Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using ** as a pattern in Spring     Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring     Security and Spring MVC, and the potential for a security bypass. (CVE-2023-20860)

  - Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to     be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able     to set build display names immediately. (CVE-2023-32977)

  - Jenkins Email Extension Plugin does not perform a permission check in a method implementing form     validation, allowing attackers with Overall/Read permission to check for the existence of files in the     email-templates/ directory in the Jenkins home directory on the controller file system. (CVE-2023-32979)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to     make another user stop watching an attacker-specified job. (CVE-2023-32980)

  - An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows     attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent     file system with attacker-specified content. (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0 version of WebCenter Sites installed on the remote host is affected by multiple vulnerabilities as referenced in the July 2023 CPU advisory.

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites (XStream)).     The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability     can result in the attacker crashing the application with a stack overflow error via via manipulation the     processed input stream. (CVE-2022-41966)

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites (Apache Commons IO)).     The supported version that is affected is 12.2.1.4.0. Difficult to exploint vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability     can result in unauthorized access to files specifically in the parent directory. (CVE-2021-29425)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.4.0.0 versions of Enterprise Manager Ops Center installed on the remote host are affected by a DoS vulnerability in XStream component as referenced in the April 2023 CPU advisory. XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2007 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1673-1 advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5946-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 9d9e9439-959e-11ed-b464-b42e991fc52e advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3267 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dsa-5315 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194326	RHEL 8 : OpenShift Container Platform 4.10.62 (RHSA-2023:3625)	Nessus	Red Hat Local Security Checks	high
194242	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3663)	Nessus	Red Hat Local Security Checks	critical
189419	RHCOS 4 : OpenShift Container Platform 4.10.62 (RHSA-2023:3625)	Nessus	Red Hat Local Security Checks	high
178706	Oracle WebCenter Sites (Jul 2023 CPU)	Nessus	Windows	medium
174627	Oracle Enterprise Manager Ops Center (Apr 2023 CPU)	Nessus	Misc.	high
173906	Amazon Linux 2 : xstream (ALAS-2023-2007)	Nessus	Amazon Linux Local Security Checks	high
173696	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xstream (SUSE-SU-2023:1673-1)	Nessus	SuSE Local Security Checks	high
172496	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : XStream vulnerabilities (USN-5946-1)	Nessus	Ubuntu Local Security Checks	high
170077	FreeBSD : security/keycloak -- Multiple possible DoS attacks (9d9e9439-959e-11ed-b464-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	high
170076	Debian DLA-3267-1 : libxstream-java - LTS security update	Nessus	Debian Local Security Checks	high
169930	Debian DSA-5315-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2022-41966

high

Tenable Plugins

high

critical

high

medium

high

high

high

high

high

high

high