Vulnerabilities > Xstream Project

DATE CVE VULNERABILITY TITLE RISK
2020-12-16 CVE-2020-26259 OS Command Injection vulnerability in multiple products
XStream is a Java library to serialize objects to XML and back again.
network
high complexity
xstream-project debian fedoraproject CWE-78
6.8
2020-12-16 CVE-2020-26258 Server-Side Request Forgery (SSRF) vulnerability in multiple products
XStream is a Java library to serialize objects to XML and back again.
network
low complexity
xstream-project debian fedoraproject CWE-918
7.7
2020-11-16 CVE-2020-26217 OS Command Injection vulnerability in multiple products
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.
network
low complexity
xstream-project debian netapp apache oracle CWE-78
8.8
2019-07-23 CVE-2019-10173 Code Injection vulnerability in multiple products
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw.
network
low complexity
xstream-project oracle CWE-94
critical
9.8
2019-05-15 CVE-2013-7285 OS Command Injection vulnerability in Xstream Project Xstream
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format.
network
low complexity
xstream-project CWE-78
critical
9.8
2017-04-29 CVE-2017-7957 Improper Input Validation vulnerability in multiple products
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
network
low complexity
xstream-project debian CWE-20
7.5
2016-05-17 CVE-2016-3674 Information Exposure vulnerability in multiple products
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
network
low complexity
fedoraproject debian xstream-project CWE-200
7.5