CVE 2017 7957.patch | (download) |
xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java |
3 3 + 0 - 0 !
xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java |
5 3 + 2 - 0 !
xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java |
21 21 + 0 - 0 !
3 files changed, 27 insertions(+), 2 deletions(-) |
fixes cve-2017-7957: when a certain denytypes workaround is not
used, XStream mishandles attempts to create an instance of the primitive type
'void' during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("<void/>") call.
|