Platform
java
Component
com.thoughtworks.xstream:xstream
Fixed in
1.4.12
1.4.11
CVE-2019-10173 is an insecure deserialization vulnerability affecting XStream versions up to 1.4.10-java7. This regression reintroduced a flaw previously addressed, allowing remote attackers to potentially execute arbitrary shell commands. The vulnerability stems from a failure to properly initialize the security framework during unmarshalling of XML or JSON data. A fix is available in version 1.4.11.
The impact of CVE-2019-10173 is severe. A successful exploit allows an attacker to execute arbitrary code on the affected system with the privileges of the application running XStream. This could lead to complete system compromise, data theft, or denial of service. The vulnerability is particularly concerning because it leverages deserialization, a common attack vector. This flaw is a regression of CVE-2013-7285, indicating a history of similar issues within XStream. Exploitation could occur through crafted XML or JSON payloads sent to applications using XStream for data processing.
CVE-2019-10173 was publicly disclosed on July 26, 2019. It is considered a high-severity vulnerability due to its potential for remote code execution. While no active exploitation campaigns have been definitively linked to this specific CVE, the ease of exploitation and the potential impact make it a target for attackers. The regression nature of this vulnerability, stemming from a previous CVE (CVE-2013-7285), highlights the importance of thorough security testing and regression testing after security fixes.
Exploit Status
EPSS
92.96% (100% percentile)
CVSS Vector
The primary mitigation for CVE-2019-10173 is to upgrade to XStream version 1.4.11 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the processing of untrusted XML or JSON data. Web application firewalls (WAFs) configured to detect and block malicious deserialization attempts can provide an additional layer of defense. Ensure that the security framework within XStream is properly initialized before any unmarshalling operations are performed. Monitor application logs for suspicious deserialization activity.
Update the XStream library to version 1.4.11 or higher. This corrects a regression in a previous deserialization vulnerability that could allow remote command execution. Ensure the XStream security framework is initialized to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-10173 is a critical vulnerability in XStream versions up to 1.4.10-java7 that allows remote attackers to execute arbitrary shell commands through insecure deserialization of XML or JSON data.
You are affected if your application uses XStream version 1.4.10-java7 or earlier. Check your dependencies to confirm.
Upgrade to XStream version 1.4.11 or later to resolve this vulnerability. If upgrading is not possible, implement input validation and sanitization.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the XStream project's website and security advisories for the latest information: https://xstream.codehaus.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.