Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-4cch-wxpw-8p28] Update Attack Complexity from Low to High #5171

Merged
merged 1 commit into from
Jan 15, 2025
Merged

[GHSA-4cch-wxpw-8p28] Update Attack Complexity from Low to High #5171

merged 1 commit into from
Jan 15, 2025

Conversation

vulnerability-analyst
Copy link

The CVE-2020-26258 / GHSA-4cch-wxpw-8p28 should be rated with an Attack Complexity of High rather than Low because the manipulation of input streams to exploit the vulnerability demands significant effort and precise preparation, aligning with the criteria for a High complexity rating in CVSS 3.x specification: “a measurable amount of effort in preparation or execution against the vulnerable component is required before a successful attack can be expected.”

The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.

Additionally, similar CVEs affecting the same package, com.thoughtworks.xstream:xstream, have consistently rated Attack Complexity as High due to analogous factors.

ID Description CVSS 3.x
CVE-2021-21344 / GHSA-59jw-jqf4-3wq3 The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21342 / GHSA-hvv8-336g-rx3m The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21350 / GHSA-43gc-mjxg-gvrq The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-39153 / GHSA-2q8x-2p7f-574v The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39150 / GHSA-cxfm-5m4g-x7xp The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39152 / GHSA-xw4p-crpj-vjx2 The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2020-26259 / GHSA-jfvx-7wrx-43fh The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

@github-actions github-actions bot changed the base branch from main to vulnerability-analyst/advisory-improvement-5171 January 15, 2025 00:31
@shelbyc
Copy link
Contributor

shelbyc commented Jan 15, 2025

Hi @vulnerability-analyst, I agree with changing AC:L to AC:H, based on the sentence No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. That sentence, to me, indicates that there is a non-recommended and possibly non-standard setup required to exploit the vulnerability. The sentence The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. just indicates that there is confidentiality impact but, to me, doesn't say anything about attack complexity. I'll change the CVSS for GHSA-4cch-wxpw-8p28 and for GitHub's CVE record for CVE-2020-26258.

@advisory-database advisory-database bot merged commit fb0da87 into github:vulnerability-analyst/advisory-improvement-5171 Jan 15, 2025
2 checks passed
@advisory-database
Copy link
Contributor

Hi @vulnerability-analyst! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vulnerability-analyst @shelbyc