Plattform
java
Komponente
com.thoughtworks.xstream:xstream
Behoben in
1.4.12
1.4.11
CVE-2019-10173 describes an insecure deserialization vulnerability affecting XStream, a Java object-serialisation library. This regression reintroduced a flaw previously addressed in earlier versions, allowing remote attackers to potentially execute arbitrary shell commands. The vulnerability impacts XStream versions 1.4.10 and earlier (≤1.4.10-java7) and has been resolved in version 1.4.11.
The impact of CVE-2019-10173 is severe. Successful exploitation allows an attacker to execute arbitrary code on the target system with the privileges of the Java process running XStream. This could lead to complete system compromise, data exfiltration, and further lateral movement within the network. The vulnerability stems from a failure to properly initialize the security framework during deserialization, enabling malicious XML or JSON payloads to trigger code execution. This is similar in concept to the earlier CVE-2013-7285, highlighting the ongoing risk of insecure deserialization vulnerabilities.
CVE-2019-10173 was publicly disclosed on July 26, 2019. It is considered a regression of CVE-2013-7285, which demonstrated the potential for remote code execution through XStream deserialization. Public proof-of-concept exploits are available, indicating a relatively low barrier to entry for attackers. While no confirmed active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation warrant immediate attention.
Applications that utilize XStream for XML or JSON processing, particularly those handling untrusted input, are at risk. This includes web applications, enterprise Java applications, and any system where XStream is used to parse external data. Legacy applications using older XStream versions are particularly vulnerable.
• java / server:
find / -name "xstream-1.4.10.jar" 2>/dev/null• java / supply-chain: Check dependencies for XStream versions <= 1.4.10-java7 using Maven or Gradle dependency analysis tools. • java / server: Monitor application logs for deserialization errors or suspicious activity related to XML/JSON processing. • generic web: Examine web application request/response logs for XML/JSON payloads that might be attempting to exploit deserialization vulnerabilities.
disclosure
Exploit-Status
EPSS
92.96% (100% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-10173 is to upgrade to XStream version 1.4.11 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the processing of untrusted XML or JSON data. Web application firewalls (WAFs) configured to inspect and block malicious deserialization attempts can provide an additional layer of defense. Monitor application logs for suspicious deserialization activity, particularly errors related to class loading or unexpected object creation.
Aktualisieren Sie die XStream-Bibliothek auf Version 1.4.11 oder höher. Dies behebt eine Regression in einer früheren Deserialisierungs-Vulnerabilität, die die Remote-Ausführung von Befehlen ermöglichen könnte. Stellen Sie sicher, dass das XStream-Sicherheitsframework initialisiert wird, um das Risiko zu mindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-10173 is a critical vulnerability in XStream versions up to 1.4.10-java7 that allows remote attackers to execute arbitrary shell commands through insecure deserialization of XML or JSON data.
You are affected if your application uses XStream version 1.4.10-java7 or earlier. Check your dependencies to confirm.
Upgrade to XStream version 1.4.11 or later to resolve this vulnerability. If upgrading is not possible, implement input validation and sanitization.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the XStream project's website and security advisories for the latest information: https://xstream.codehaus.org/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.