Update dependency com.thoughtworks.xstream:xstream to v1.4.21 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.thoughtworks.xstream:xstream (source)	1.4.16 -> 1.4.21

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-29505

Impact

The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-29505.

Credits

V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Email us at XStream Google Group

CVE-2021-39150

Impact

The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39150.

Credits

Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39152

Impact

The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39152.

Credits

m0d9 of the Security Team of Alibaba Cloud found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39148

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39148.

Credits

wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39140

Impact

The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39140.

Credits

The vulnerability was discovered and reported by Lai Han of nsfocus security team.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39153

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39153.

Credits

Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39141

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39141.

Credits

Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39149

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39149.

Credits

Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39154

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39154.

Credits

ka1n4t found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39151

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39151.

Credits

Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39145

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39145.

Credits

李安诺 (Li4n0) from Alibaba Cloud Security Team and Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue independently to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39139

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39139.

Credits

Lai Han of nsfocus security team found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39146

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39146.

Credits

Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39147

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39147.

Credits

wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2021-39144

Impact

The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39144.

Credits

Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Email us at XStream Google Group

CVE-2021-43859

Impact

The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.

Patches

XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded.

Workarounds

The attack uses the hash code implementation for collections and maps to force an exponential calculation time due to highly recursive structures with in the collection or map. Following types of the Java runtime are affected in Java versions available in December 2021:

• java.util.HashMap
• java.util.HashSet
• java.util.Hashtable
• java.util.LinkedHashMap
• java.util.LinkedHashSet
• java.util.Stack (older Java revisions only)
• java.util.Vector (older Java revisions only)
• Other third party collection implementations that use their element's hash code may also be affected

If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:

XStream xstream = new XStream();
xstream.setMode(XStream.NO_REFERENCES);

If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:

XStream xstream = new XStream();
xstream.denyTypes(new Class[]{
 java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
});

Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::

xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);

However, this implies that your application does not care about the implementation of the map and all elements are comparable.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-43859.

Credits

The vulnerability was discovered and reported by r00t4dm at Cloud-Penetrating Arrow Lab.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2022-41966

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

Patches

XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

Workarounds

The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:

• java.util.HashMap
• java.util.HashSet
• java.util.Hashtable
• java.util.LinkedHashMap
• java.util.LinkedHashSet
• Other third party collection implementations that use their element's hash code may also be affected

A simple solution is to catch the StackOverflowError in the client code calling XStream.

If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:

XStream xstream = new XStream();
xstream.setMode(XStream.NO_REFERENCES);

If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:

XStream xstream = new XStream();
xstream.denyTypes(new Class[]{
 java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
});

Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::

xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);

However, this implies that your application does not care about the implementation of the map and all elements are comparable.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-41966.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2022-40151

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

Patches

XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

Workarounds

The only solution is to catch the StackOverflowError in the client code calling XStream.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-40151.

Credits

The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team.

For more information

If you have any questions or comments about this advisory:

• Open an issue in XStream
• Contact us at XStream Google Group

CVE-2024-47072

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.

Patches

XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.

Workarounds

The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072.

Credits

Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.