XStream 漏洞列表

Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.

XStream before 1.4.14 is susceptible to remote code execution. An attacker can run arbitrary shell commands by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Users who rely on blocklists are affected.

XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.

XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.

XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.

XStream before 1.4.17 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.

XStream before 1.4.18 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream with a Java runtime version 14 to 8. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

反序列化漏洞主要发生在应用程序未对用户输入的序列化字符串进行充分检查的情况下，攻击者可以通过构造恶意的序列化数据来进行攻击，从而控制应用程序的行为，执行任意代码，访问或修改敏感数据，甚至可能导致整个系统的控制权被攻陷。

亿赛通 XStream组件中存在不安全的反序列化漏洞。该漏洞是由于多个接口对用户输入验证不足导致的。

Xstream API存在远程命令注入漏洞，此漏洞是对用户输入的xml数据缺乏校验导致的。

XStream库存在不安全反序列化漏洞,该漏洞是由于对用户提供的XML数据中的事件处理器类型验证不足导致的。

5月14日，XStream官方发布安全更新，修复了一个严重漏洞CVE-2021-29505，通过该漏洞，攻击者构造特定的XML，绕过XStream的黑名单，最终触发反序列化造成任意代码执行。