SB2022122822 - Multiple vulnerabilities in XStream
Published: December 28, 2022 Updated: January 10, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2022-40151)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error if the parser is running on user supplied input. A remote attacker can pass a specially crafted XML input to the application and perform a denial of service attack.
2) Input validation error (CVE-ID: CVE-2022-41966)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass specially crafted data to the application, trigger a stack overflow error and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/x-stream/xstream/issues/304
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
- https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm
- https://x-stream.github.io/CVE-2022-40151.html
- https://x-stream.github.io/CVE-2022-41966.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv