[Geoserver-devel] [JIRA] (GEOS-10280) Geoserver Xstream version (current 1.4.11.1) has known vulnerabilities

Maurice Grefe created an issue

GeoServer / BugGEOS-10280

Geoserver Xstream version (current 1.4.11.1) has known vulnerabilities

Issue Type:

BugBug

Assignee:

Unassigned

Created:

18/Oct/21 4:53 PM

Priority:

MediumMedium

Reporter:

Maurice Grefe

Hello all,

I don’t know if the following vulnerabilities are relevant (a similar ticket was already addressed in August 2019 (GEOS-9307) ), however the vulnerabilities are rated Critical and are already fixed by a newer version.

Critical:

  • CVE-2021-21351, CVE-2021-21345, CVE-2021-21350, CVE-2021-21344, CVE-2021-21347, CVE-2021-21342,
    CVE-2021-21346 - vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
    High:
  • CVE-2021-39151, CVE-2021-39153, CVE-2021-39154, CVE-2020-26217, CVE-2020-26258, CVE-2021-39141: vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream.
  • CVE-2021-21341: vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.
  • CVE-2021-21343: vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host.

Version 1.4.18 Link will fix all these vulnerabilities.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100183-sha1:f5b067a)

Atlassian logo