CVE-2017-7957 - Vulnerability Details

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Redhat	Fuse Jboss Amq Jboss Bpms Jboss Enterprise Brms Platform Jboss Fuse Jboss Middleware
Xstream	Xstream

Configuration 1 [-]

OR	cpe:2.3:a:redhat:fuse:1.0:::::::*
	cpe:2.3:a:redhat:jboss_middleware:1:::::::*

Configuration 2 [-]

cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat JBoss A-MQ 6.3
camel	cpe:/a:redhat:jboss_amq:6.3	RHSA-2017:1832	2017-08-10T00:00:00Z
Red Hat JBoss BPMS 6.4
	cpe:/a:redhat:jboss_bpms:6.4	RHSA-2017:2889	2017-10-12T00:00:00Z
Red Hat JBoss BRMS 6.4
xstream	cpe:/a:redhat:jboss_enterprise_brms_platform:6.4	RHSA-2017:2888	2017-10-12T00:00:00Z
Red Hat JBoss Fuse 6.3
camel	cpe:/a:redhat:jboss_fuse:6.3	RHSA-2017:1832	2017-08-10T00:00:00Z

References

Link	Providers
http://www.debian.org/security/2017/dsa-3841
http://www.securityfocus.com/bid/100687
http://www.securitytracker.com/id/1039499
http://x-stream.github.io/CVE-2017-7957.html
https://access.redhat.com/errata/RHSA-2017:1832
https://access.redhat.com/errata/RHSA-2017:2888
https://access.redhat.com/errata/RHSA-2017:2889
https://exchange.xforce.ibmcloud.com/vulnerabilities/125800
https://nvd.nist.gov/vuln/detail/CVE-2017-7957
https://www-prd-trops.events.ibm.com/node/715749
https://www.cve.org/CVERecord?id=CVE-2017-7957

History

Fri, 23 May 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat fuse Redhat jboss Middleware Xstream Xstream xstream
CPEs	cpe:2.3:a:xstream_project:xstream::::::::	cpe:2.3:a:redhat:fuse:1.0:::::::* cpe:2.3:a:redhat:jboss_middleware:1:::::::* cpe:2.3:a:xstream:xstream::::::::
Vendors & Products	Xstream Project Xstream Project xstream	Redhat fuse Redhat jboss Middleware Xstream Xstream xstream
Metrics	cvssV3_0 `{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` cvssV3_0 `{'score': 5.9, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-04-29T19:00:00

Updated: 2024-08-05T16:19:29.479Z

Reserved: 2017-04-19T00:00:00

Link: CVE-2017-7957

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-04-29T19:59:00.167

Modified: 2025-05-23T17:54:30.910

Link: CVE-2017-7957

Redhat

Severity : Moderate

Publid Date: 2017-04-03T00:00:00Z

Links: CVE-2017-7957 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object