CVE-2016-3674 – com.thoughtworks.xstream:xstream

Package

Manager: maven
Name: com.thoughtworks.xstream:xstream
Vulnerable Version: >=0 <1.4.9

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.05505 pctl0.89862

Details

XML External Entity Injection in XStream Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Metadata

Created: 2020-06-30T22:48:14Z
Modified: 2025-05-23T19:00:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-rgh3-987h-wpmw/GHSA-rgh3-987h-wpmw.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-rgh3-987h-wpmw
Finding: F017
Auto approve: 1