CVE-2022-41966: XStream Denial of Service via stack overflow

Published Dec 27, 2022
·
Updated

A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.

Other sources

XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By manipulating the processed input stream at unmarshalling time, a remote attacker could exploit this vulnerability to replace or inject objects and cause a denial of service.

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

Affected Software

6 affected componentsFixes available
redhat/jenkins<0:2.401.1.1686831596-3.el8
0:2.401.1.1686831596-3.el8
redhat/jenkins<0:2.401.1.1685677065-1.el8
0:2.401.1.1685677065-1.el8
redhat/xstream<1.4.20
1.4.20
Xstream Project Xstream<1.4.20
IBM Security Verify Governance<=10.0
XStream XStream<1.4.20

Event History

Dec 27, 2022
CVE Published
via MITRE·11:07 PM
Data Sourced
via MITRE·11:07 PM
DescriptionSeverityWeakness
Feb 16, 2023
Data Sourced
via Red Hat·11:11 AM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2022-41966?

CVE-2022-41966 is a vulnerability in the xstream package that allows a remote attacker to cause a denial of service (DoS) by manipulating the processed input stream.

2

What is the severity of CVE-2022-41966?

The severity of CVE-2022-41966 is high, with a CVSS score of 8.2.

3

How can CVE-2022-41966 be exploited?

CVE-2022-41966 can be exploited by an attacker manipulating the input stream, causing a stack overflow error and terminating the application.

4

Which software versions are affected by CVE-2022-41966?

Versions prior to 1.4.20 of the xstream package and versions v1.0 - v1.8.2 of IBM Disconnected Log Collector are affected by CVE-2022-41966.

5

Where can I find more information about CVE-2022-41966?

You can find more information about CVE-2022-41966 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2022-41966), the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2022-41966), and the XStream GitHub page (https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203