Description
Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object.
XStream is a simple library to serialize objects to XML and back again.
It was determined that your web application performs deserialization of user-supplied data using the Xstream library and is vulnerable to one of the following vulnerabilities:
- CVE-2013-7285: XStream can be used for Remote Code Execution.
- CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
- CVE-2020-26217: XStream can be used for Remote Code Execution.
Remediation
Upgrade to the latest version of XStream to fix this issue.
References
Related Vulnerabilities
WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.31)
WordPress 4.5.x Multiple Vulnerabilities (4.5 - 4.5.22)
Oracle Business Intelligence Convert XXE CVE-2019-2767
Deserialization of Untrusted Data (Java JSON Deserialization) Genson
Deserialization of Untrusted Data (Java JSON Deserialization) JsonIO