CVE-2017-7957

HIGH

Redhat Fuse < 1.4.9 - Improper Input Validation

Title source: rule

Description

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2017-7957-xstream-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2017-7957-xstream-vulnerable

View Code ZIP pw:eip

References (9)

[Mailing List, Third Party Advisory] http://www.debian.org/security/2017/dsa-3841

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100687

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039499

[Vendor Advisory] http://x-stream.github.io/CVE-2017-7957.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1832

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2888

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2889

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/125800

[Broken Link, Permissions Required] https://www-prd-trops.events.ibm.com/node/715749

Scores

CVSS v3 7.5

EPSS 0.0264

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-20

Status published

Products (6)

com.thoughtworks.xstream/xstream 0 - 1.4.10Maven

debian/debian_linux 8.0

debian/debian_linux 9.0

redhat/fuse 1.0

redhat/jboss_middleware 1

xstream/xstream < 1.4.9

Published Apr 29, 2017

Tracked Since Feb 18, 2026