XStream 1.4 BinaryStream Stack Overflow DoS
CVE-2024-47072 Published on November 8, 2024

XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

Github Repository NVD

Vulnerability Analysis

CVE-2024-47072 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Types

What is a Stack Overflow Vulnerability?

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

CVE-2024-47072 has been classified to as a Stack Overflow vulnerability or weakness.

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2024-47072 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2024-47072

stack.watch emails you whenever new vulnerabilities are published in Oracle or X Stream. Just hit a watch button to start following.

Oracle
 
X Stream
 

Affected Versions

x-stream xstream: x-stream:

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-47072

Package Manager Vulnerable Package Versions Fixed In
maven com.thoughtworks.xstream:xstream < 1.4.21 1.4.21

Exploit Probability

EPSS
0.27%
Percentile
49.99%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.