Coder Social home page Coder Social logo

burpjdser-ng's People

Contributors

dependabot-preview[bot] avatar mend-bolt-for-github[bot] avatar omercnet avatar renovate[bot] avatar stephanchenette avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

vetsin tardummy01 lw1988 asrulhadi betamaxheadroom ttmyst nin3 sw-mreyes floyd-fuh 3453-315h eb113 1njected ethicalsecurity-agency

burpjdser-ng's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/codeql-analysis.yml
  • actions/checkout v4
  • github/codeql-action v3
  • github/codeql-action v3
  • github/codeql-action v3
.github/workflows/gradle-build-pr.yml
  • actions/checkout v4
  • actions/setup-java v4
  • eskatos/gradle-command-action v3
  • actions/upload-artifact v4
gradle
settings.gradle
  • com.gradle.enterprise 3.16.2
build.gradle
  • org.nosphere.gradle.github.actions 1.4.0
  • com.github.johnrengelman.shadow 8.1.1
  • com.thoughtworks.xstream:xstream 1.4.20
  • org.codehaus.jettison:jettison 1.5.4
  • net.portswigger.burp.extender:burp-extender-api 2.3
gradle-wrapper
gradle/wrapper/gradle-wrapper.properties
  • gradle 8.6
  • Check this box to trigger a request for Renovate to run again on this repository

Stack trace in burp requests

Could not initialize class loader:

com.thoughtworks.xstream.converters.ConversionException: Security alert. Marshalling rejected.
---- Debugging information ----
message : Security alert. Marshalling rejected.

at com.thoughtworks.xstream.XStream$InternalBlackList.marshal(XStream.java:2556)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:68)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:87)
at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeBareItem(AbstractCollectionConverter.java:94)
at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:66)
at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeCompleteItem(AbstractCollectionConverter.java:81)
at com.thoughtworks.xstream.converters.collections.ArrayConverter.marshal(ArrayConverter.java:45)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:68)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:83)
at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.marshallField(AbstractReflectionConverter.java:270)
at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter$2.writeField(AbstractReflectionConverter.java:174)
at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doMarshal(AbstractReflectionConverter.java:262)
at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.marshal(AbstractReflectionConverter.java:90)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:68)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1320)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1309)
at com.thoughtworks.xstream.XStream.toXML(XStream.java:1282)
at com.thoughtworks.xstream.XStream.toXML(XStream.java:1269)
at burp.Utils.Deserialize(Utils.java:51)
at burp.BurpExtender$SerializedJavaInputTab.setMessage(BurpExtender.java:146)
at burp.cp_.b(Unknown Source)
at burp.bx4.a(Unknown Source)
at burp.bx4.d(Unknown Source)
at burp.bx4.lambda$new$0(Unknown Source)
at java.desktop/javax.swing.JTabbedPane.fireStateChanged(JTabbedPane.java:442)
at java.desktop/javax.swing.JTabbedPane$ModelListener.stateChanged(JTabbedPane.java:293)
at java.desktop/javax.swing.DefaultSingleSelectionModel.fireStateChanged(DefaultSingleSelectionModel.java:143)
at java.desktop/javax.swing.DefaultSingleSelectionModel.setSelectedIndex(DefaultSingleSelectionModel.java:74)
at java.desktop/javax.swing.JTabbedPane.setSelectedIndexImpl(JTabbedPane.java:646)
at java.desktop/javax.swing.JTabbedPane.setSelectedIndex(JTabbedPane.java:621)
at burp.bxp.setSelectedIndex(Unknown Source)
at java.desktop/javax.swing.plaf.basic.BasicTabbedPaneUI$Handler.mousePressed(BasicTabbedPaneUI.java:4090)
at java.desktop/java.awt.Component.processMouseEvent(Component.java:6633)
at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342)
at java.desktop/java.awt.Component.processEvent(Component.java:6401)
at java.desktop/java.awt.Container.processEvent(Container.java:2263)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5012)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4844)
at burp.bxp.a(Unknown Source)
at burp.bxp.a(Unknown Source)
at burp.dea.mousePressed(Unknown Source)
at java.desktop/java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:288)
at java.desktop/java.awt.Component.processMouseEvent(Component.java:6633)
at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342)
at java.desktop/java.awt.Component.processEvent(Component.java:6401)
at java.desktop/java.awt.Container.processEvent(Container.java:2263)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5012)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4844)
at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4919)
at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4545)
at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4489)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2307)
at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2764)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4844)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:772)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:95)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:743)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

image

Java Object tab not appearing, JARs keep loading

Hi, thanks a lot for the project.
But the extension doesn't currently seem to be working:
After successful installation, no "Java Object" tab appeared.
And when I select the serialized object and right-click > Extensions > Reload JARs, the extension only keeps reloading the JARs without deserialization or any other option to send to other tabs.

Is there a possibility to publish a new release?
Thank you very much.

Can deserialize, but not serialize

Using BurpJDSer-ng in Burp 1.6a or 1.5.21 (I haven't tested other versions) I can succesfully deserialize requests. However, when I change an intercepted request and forward the request, the resulting edited request is empty. Apparently the serialization fails.

Ward

java.lang.ClassNotFoundException

I run this: java -classpath burpsuite_free_v1.6.32.jar;burpjdser.jar;xstream-1.4.2.jar;C:\jars/* burp.StartBurp
I've loaded "BurpJDSer-ng" to the extensions successfully
Using windows 10, jdk 1.7
Then tried to browse through the application but I get an error:

Something went wrong, did you change the body in a bad way?

java.lang.ClassNotFoundException: com.mer.util.proxy.InvocationResult
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at burp.CustomLoaderObjectInputStream.resolveClass(CustomLoaderObjectInputStream.java:30)
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
at java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at burp.BurpExtender$SerializedJavaInputTab.setMessage(BurpExtender.java:169)
at burp.gh.b(Unknown Source)
at burp.o8d.a(Unknown Source)
at burp.o8d.a(Unknown Source)
at burp.ig.stateChanged(Unknown Source)
at javax.swing.JTabbedPane.fireStateChanged(Unknown Source)
at javax.swing.JTabbedPane$ModelListener.stateChanged(Unknown Source)
at javax.swing.DefaultSingleSelectionModel.fireStateChanged(Unknown Source)
at javax.swing.DefaultSingleSelectionModel.setSelectedIndex(Unknown Source)
at javax.swing.JTabbedPane.setSelectedIndexImpl(Unknown Source)
at javax.swing.JTabbedPane.setSelectedIndex(Unknown Source)
at javax.swing.plaf.basic.BasicTabbedPaneUI$Handler.mousePressed(Unknown Source)
at javax.swing.plaf.synth.SynthTabbedPaneUI$1.mousePressed(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at burp.n8d.a(Unknown Source)
at burp.n8d.a(Unknown Source)
at burp.i5b.mousePressed(Unknown Source)
at java.awt.AWTEventMulticaster.mousePressed(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)

xstream-1.4.12.jar: 30 vulnerabilities (highest severity is: 9.9)

Vulnerable Library - xstream-1.4.12.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.12/a668a33eb8d7c3ac728a3823cf4339ff762c75ca/xstream-1.4.12.jar

Found in HEAD commit: f3a0c3a96deb40b982ca6707a14f438d608f4399

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-21345 High 9.9 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-21344 High 9.8 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-21350 High 9.8 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-21347 High 9.8 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-21346 High 9.8 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-21342 High 9.1 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-21351 High 9.1 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-39139 High 8.8 xstream-1.4.12.jar Direct 1.4.18
CVE-2020-26217 High 8.8 xstream-1.4.12.jar Direct 1.4.13-java7
CVE-2021-29505 High 8.8 xstream-1.4.12.jar Direct 1.4.17
CVE-2021-21349 High 8.6 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-39150 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39152 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39151 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39154 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39153 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39141 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39145 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39144 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39147 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39146 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39149 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2021-39148 High 8.5 xstream-1.4.12.jar Direct 1.4.18
CVE-2020-26258 High 7.7 xstream-1.4.12.jar Direct 1.4.14-jdk7
CVE-2021-21343 High 7.5 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-21341 High 7.5 xstream-1.4.12.jar Direct 1.4.16
CVE-2021-43859 High 7.5 xstream-1.4.12.jar Direct com.thoughtworks.xstream:xstream:1.4.19
CVE-2021-21348 High 7.5 xstream-1.4.12.jar Direct 1.4.16
CVE-2020-26259 Medium 6.8 xstream-1.4.12.jar Direct 1.4.14-jdk7
CVE-2021-39140 Medium 6.3 xstream-1.4.12.jar Direct 1.4.18

Details

Partial details (6 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the WhiteSource Application.

CVE-2021-21345

Vulnerable Library - xstream-1.4.12.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.12/a668a33eb8d7c3ac728a3823cf4339ff762c75ca/xstream-1.4.12.jar

Dependency Hierarchy:

  • xstream-1.4.12.jar (Vulnerable Library)

Found in HEAD commit: f3a0c3a96deb40b982ca6707a14f438d608f4399

Found in base branch: master

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21345

CVSS 3 Score Details (9.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hwpc-8xqv-jvj4

Release Date: 2021-03-23

Fix Resolution: 1.4.16

Step up your Open Source Security Game with WhiteSource here

CVE-2021-21344

Vulnerable Library - xstream-1.4.12.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.12/a668a33eb8d7c3ac728a3823cf4339ff762c75ca/xstream-1.4.12.jar

Dependency Hierarchy:

  • xstream-1.4.12.jar (Vulnerable Library)

Found in HEAD commit: f3a0c3a96deb40b982ca6707a14f438d608f4399

Found in base branch: master

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21344

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-59jw-jqf4-3wq3

Release Date: 2021-03-23

Fix Resolution: 1.4.16

Step up your Open Source Security Game with WhiteSource here

CVE-2021-21350

Vulnerable Library - xstream-1.4.12.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.12/a668a33eb8d7c3ac728a3823cf4339ff762c75ca/xstream-1.4.12.jar

Dependency Hierarchy:

  • xstream-1.4.12.jar (Vulnerable Library)

Found in HEAD commit: f3a0c3a96deb40b982ca6707a14f438d608f4399

Found in base branch: master

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21350

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43gc-mjxg-gvrq

Release Date: 2021-03-23

Fix Resolution: 1.4.16

Step up your Open Source Security Game with WhiteSource here

CVE-2021-21347

Vulnerable Library - xstream-1.4.12.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.12/a668a33eb8d7c3ac728a3823cf4339ff762c75ca/xstream-1.4.12.jar

Dependency Hierarchy:

  • xstream-1.4.12.jar (Vulnerable Library)

Found in HEAD commit: f3a0c3a96deb40b982ca6707a14f438d608f4399

Found in base branch: master

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21347

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qpfq-ph7r-qv6f

Release Date: 2021-03-23

Fix Resolution: 1.4.16

Step up your Open Source Security Game with WhiteSource here

CVE-2021-21346

Vulnerable Library - xstream-1.4.12.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.12/a668a33eb8d7c3ac728a3823cf4339ff762c75ca/xstream-1.4.12.jar

Dependency Hierarchy:

  • xstream-1.4.12.jar (Vulnerable Library)

Found in HEAD commit: f3a0c3a96deb40b982ca6707a14f438d608f4399

Found in base branch: master

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21346

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4hrm-m67v-5cxr

Release Date: 2021-03-23

Fix Resolution: 1.4.16

Step up your Open Source Security Game with WhiteSource here

CVE-2021-21342

Vulnerable Library - xstream-1.4.12.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.12/a668a33eb8d7c3ac728a3823cf4339ff762c75ca/xstream-1.4.12.jar

Dependency Hierarchy:

  • xstream-1.4.12.jar (Vulnerable Library)

Found in HEAD commit: f3a0c3a96deb40b982ca6707a14f438d608f4399

Found in base branch: master

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21342

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hvv8-336g-rx3m

Release Date: 2021-03-23

Fix Resolution: 1.4.16

Step up your Open Source Security Game with WhiteSource here

ClassNotFoundExcpetion when deserializing the Request

DSing the response works just fine, but when DSing the request this Exeptions is thrown:

java.lang.ClassNotFoundException: boolean
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)

are you familiar with this problem? do you know how to fix it?

i'm using Burp 1.5.08, the current version of BurpJDser-ng and jre1.7

Not working with non executable jar files

The extension does not pick up any jar files when they are not executable, in other words when the MANIFEST file does not contain a main method.

Is there any way to include support for this scenario?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.