If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. XStream is a Java library to serialize objects to XML and back again.
A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host. Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9.
0 kommentar(er)
