Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.1
CVSSv3

CVE-2021-21351

Published: 23/03/2021 Updated: 07/11/2023
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 9.1 | Impact Score: 6 | Exploitability Score: 2.3
VMScore: 580
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Xstream Project

Vulnerability Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote malicious user to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xstream project xstream

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

fedoraproject fedora 33

fedoraproject fedora 34

fedoraproject fedora 35

oracle banking platform 2.4.0

oracle webcenter portal 12.2.1.3.0

oracle webcenter portal 11.1.1.9.0

oracle communications unified inventory management 7.3.2

oracle communications unified inventory management 7.3.4

oracle communications unified inventory management 7.3.5

oracle communications unified inventory management 7.4.0

oracle communications policy management 12.5.0

oracle webcenter portal 12.2.1.4.0

oracle banking platform 2.7.1

oracle banking platform 2.9.0

oracle banking virtual account management 14.3.0

oracle communications billing and revenue management elastic charging engine 12.0.0.3.0

oracle business activity monitoring 12.2.1.3.0

oracle business activity monitoring 11.1.1.9.0

oracle business activity monitoring 12.2.1.4.0

oracle communications unified inventory management 7.4.1

oracle retail xstore point of service 16.0.6

oracle retail xstore point of service 17.0.4

oracle retail xstore point of service 18.0.3

oracle retail xstore point of service 19.0.2

oracle banking platform 2.12.0

oracle banking virtual account management 14.2.0

oracle banking virtual account management 14.5.0

oracle banking enterprise default management 2.12.0

oracle banking enterprise default management 2.10.0

oracle mysql server

Vendor Advisories

Debian CVElist Bug Report Logs: libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351
Debian Bug report logs - #985843 libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 Package: src:libxstream-java; Maintainer for src:libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsal ...
Debian Security Advisories: DSA-5004-1 libxstream-java -- security update
Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream XStream itself sets up a whitelist by default now, ie it blocks all c ...
Red Hat: CVE-2021-21351
XStream is a Java library to serialize objects to XML and back again In XStream before version 1416, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream No user is affected, who followed the recommendation to setup XStream's security framework ...

References

CWE-502CWE-434http://x-stream.github.io/changes.html#1.4.16https://x-stream.github.io/security.html#workaroundhttps://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2chttps://x-stream.github.io/CVE-2021-21351.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlhttps://security.netapp.com/advisory/ntap-20210430-0002/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.debian.org/security/2021/dsa-5004https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3Ehttps://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843https://www.debian.org/security/2021/dsa-5004
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3400CVE-2023-7252CVE-2024-21111denial of serviceCVE-2024-29661CVE-2024-22856remote attackersencryptionCVE-2023-38299
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook