Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.4
    • Fix Version/s: 1.4.5
    • Component/s: Core
    • Labels:
      None
    • JDK version and platform:
      JDK 7u17

      Description

      A Jenkins user reported a stack trace ending in the following (the rest involves a particular plugin):

      java.lang.NullPointerException
      	at com.thoughtworks.xstream.converters.ConversionException.add(ConversionException.java:65)
      	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1066)
      	at hudson.util.XStream2.unmarshal(XStream2.java:109)
      	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1045)
      	at hudson.XmlFile.unmarshal(XmlFile.java:166)
      

      Here it seems that pkg.getImplementationVersion() is null in unmarshal yet that condition is not checked for. This is using Jenkins's patched version of XStream, but I checked the trunk sources of the official version and the same code is used, so theoretically it is equally vulnerable.

        People

        • Assignee:
          Jörg Schaible
          Reporter:
          Jesse Glick
        • Votes:
          0 Vote for this issue
          Watchers:
          2 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved: