XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-15436 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3625 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.62. See the     following advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2023:3626

    Security Fix(es):

    * xstream: Denial of Service by injecting recursive collections or maps based on element's hash values     raising a stack overflow (CVE-2022-41966)

    * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

    * jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

    * jenkins-2-plugin: email-ext: Missing permission check in Email Extension Plugin (CVE-2023-32979)

    * jenkins-2-plugin: email-ext: CSRF vulnerability in Email Extension Plugin (CVE-2023-32980)

    * jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline     Utility Steps Plugin (CVE-2023-32981)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3663 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * xstream: Denial of Service by injecting recursive collections or maps based on element's hash values     raising a stack overflow (CVE-2022-41966)

    * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)     (CVE-2023-1370)

    * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

    * log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)

    * Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)

    * Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)

    * jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

    * http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

    * springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)

    * jettison: parser crash by stackoverflow (CVE-2022-40149)

    * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

    * jackson-databind: use of deeply nested arrays (CVE-2022-42004)

    * jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

    * jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline     Utility Steps Plugin (CVE-2023-32981)

    * jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

    * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

    * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3625 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

  - Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using ** as a pattern in Spring     Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring     Security and Spring MVC, and the potential for a security bypass. (CVE-2023-20860)

  - Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to     be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able     to set build display names immediately. (CVE-2023-32977)

  - Jenkins Email Extension Plugin does not perform a permission check in a method implementing form     validation, allowing attackers with Overall/Read permission to check for the existence of files in the     email-templates/ directory in the Jenkins home directory on the controller file system. (CVE-2023-32979)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to     make another user stop watching an attacker-specified job. (CVE-2023-32980)

  - An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows     attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent     file system with attacker-specified content. (CVE-2023-32981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0 version of WebCenter Sites installed on the remote host is affected by multiple vulnerabilities as referenced in the July 2023 CPU advisory.

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites (XStream)).     The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability     can result in the attacker crashing the application with a stack overflow error via via manipulation the     processed input stream. (CVE-2022-41966)

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites (Apache Commons IO)).     The supported version that is affected is 12.2.1.4.0. Difficult to exploint vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability     can result in unauthorized access to files specifically in the parent directory. (CVE-2021-29425)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.4.0.0 versions of Enterprise Manager Ops Center installed on the remote host are affected by a DoS vulnerability in XStream component as referenced in the April 2023 CPU advisory. XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2007 advisory.

    XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1673-1 advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5946-1 advisory.

    Lai Han discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2021-39140)

    It was discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-39139,     CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148,     CVE-2021-39149, CVE-2021-39151, CVE-2021-39153, CVE-2021-39154)

    It was discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2021-39150, CVE-2021-39152)

    Lai Han discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     cause a denial of service. (CVE-2022-41966)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 9d9e9439-959e-11ed-b464-b42e991fc52e advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3267 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dsa-5315 advisory.

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
202627	Atlassian Jira Service Management Data Center and Server < 5.4.18 / 5.5.x < 5.8.0 / 5.12.0 (JSDSERVER-15436)	Nessus	Misc.	high
194326	RHEL 8 : OpenShift Container Platform 4.10.62 (RHSA-2023:3625)	Nessus	Red Hat Local Security Checks	high
194242	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3663)	Nessus	Red Hat Local Security Checks	critical
189419	RHCOS 4 : OpenShift Container Platform 4.10.62 (RHSA-2023:3625)	Nessus	Red Hat Local Security Checks	high
178706	Oracle WebCenter Sites (Jul 2023 CPU)	Nessus	Windows	medium
174627	Oracle Enterprise Manager Ops Center (Apr 2023 CPU)	Nessus	Misc.	high
173906	Amazon Linux 2 : xstream (ALAS-2023-2007)	Nessus	Amazon Linux Local Security Checks	high
173696	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xstream (SUSE-SU-2023:1673-1)	Nessus	SuSE Local Security Checks	high
172496	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : XStream vulnerabilities (USN-5946-1)	Nessus	Ubuntu Local Security Checks	high
170077	FreeBSD : security/keycloak -- Multiple possible DoS attacks (9d9e9439-959e-11ed-b464-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	high
170076	Debian DLA-3267-1 : libxstream-java - LTS security update	Nessus	Debian Local Security Checks	high
169930	Debian DSA-5315-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2022-41966

high

Tenable Plugins

high

high

critical

high

medium

high

high

high

high

high

high

high