9.8
CVSSv3

CVE-2021-21350

Published: 23/03/2021 Updated: 16/02/2022
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote malicious user to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xstream project xstream

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

fedoraproject fedora 33

fedoraproject fedora 34

fedoraproject fedora 35

oracle banking enterprise default management 2.10.0

oracle banking enterprise default management 2.12.0

oracle banking platform 2.4.0

oracle banking platform 2.7.1

oracle banking platform 2.9.0

oracle banking platform 2.12.0

oracle banking virtual account management 14.2.0

oracle banking virtual account management 14.3.0

oracle banking virtual account management 14.5.0

oracle business activity monitoring 11.1.1.9.0

oracle business activity monitoring 12.2.1.3.0

oracle business activity monitoring 12.2.1.4.0

oracle communications billing and revenue management elastic charging engine 12.0.0.3.0

oracle communications policy management 12.5.0

oracle communications unified inventory management 7.3.2

oracle communications unified inventory management 7.3.4

oracle communications unified inventory management 7.3.5

oracle communications unified inventory management 7.4.0

oracle communications unified inventory management 7.4.1

oracle retail xstore point of service 16.0.6

oracle retail xstore point of service 17.0.4

oracle retail xstore point of service 18.0.3

oracle retail xstore point of service 19.0.2

oracle webcenter portal 11.1.1.9.0

oracle webcenter portal 12.2.1.3.0

oracle webcenter portal 12.2.1.4.0

oracle weblogic server 12.1.3.0.0

oracle weblogic server 12.2.1.3.0

oracle weblogic server 12.2.1.4.0

oracle weblogic server 14.1.1.0.0

Vendor Advisories

XStream is a Java library to serialize objects to XML and back again In XStream before version 1416, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limi ...
Debian Bug report logs - #985843 libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 Package: src:libxstream-java; Maintainer for src:libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsal ...
A flaw was found in xstream A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2021-21344) A flaw was found in xstream A remote attacker, who has ...
IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of XStream ...
Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream XStream itself sets up a whitelist by default now, ie it blocks all c ...
Multiple vulnerabiilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Nodejs may affect IBM Spectrum Control The Java vulnerabilities were disclosed as part of the IBM Java SDK updates in October 2020 and January 2021 ...

Github Repositories

WorkflowServiceXml的反序列化调整 这边放出EXP和 使用的class供大家研究以及更改获取属于自己的payload 对宽字节安全的EXP进行调整, 本地测得时候发现EXP会弹计算器, 这边decode之后把代码修复了下 漏洞分析参考链接:mpweixinqqcom/s/iTP9jBypsJEsSlAIaNOnhw 注:简单提一下,本质是某微引用了

WorkflowServiceXml的反序列化调整 对宽字节安全的EXP进行调整, 本地测得时候发现EXP会弹计算器, 这边decode之后把代码修复了下 漏洞分析参考链接:mpweixinqqcom/s/iTP9jBypsJEsSlAIaNOnhw 注:简单提一下,本质是某微引用了Xstream组件所以能被反序列化,具体该EXP使用的就是官方的POC 这边也

X-STREAM POC 学习 CVE Description 2021 CVE-2021-21341 XStream can cause a Denial of Service CVE-2021-21342 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host CVE-2021-21343 XStream is vulnerable to an Arbitrary File Deletion on the local host when unma