Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv2

CVE-2021-29505

Published: 28/05/2021 Updated: 07/11/2023
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 582
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Xstream Project

Vulnerability Summary

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions before 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xstream project xstream

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

fedoraproject fedora 33

fedoraproject fedora 34

fedoraproject fedora 35

netapp snapmanager -

oracle webcenter portal 12.2.1.3.0

oracle webcenter sites 12.2.1.3.0

oracle communications unified inventory management 7.3.4

oracle communications unified inventory management 7.3.5

oracle communications unified inventory management 7.4.0

oracle webcenter sites 12.2.1.4.0

oracle webcenter portal 12.2.1.4.0

oracle enterprise manager ops center 12.4.0.0

oracle banking credit facilities process management 14.3.0

oracle banking corporate lending process management 14.3.0

oracle business activity monitoring 12.2.1.3.0

oracle business activity monitoring 11.1.1.9.0

oracle business activity monitoring 12.2.1.4.0

oracle communications unified inventory management 7.4.1

oracle retail xstore point of service 16.0.6

oracle retail xstore point of service 17.0.4

oracle retail xstore point of service 18.0.3

oracle retail xstore point of service 19.0.2

oracle retail xstore point of service 20.0.1

oracle banking supply chain finance 14.2.0

oracle banking trade finance process management 14.5.0

oracle banking credit facilities process management 14.2.0

oracle banking credit facilities process management 14.5.0

oracle banking corporate lending process management 14.2.0

oracle banking corporate lending process management 14.5.0

oracle banking cash management 14.2

oracle banking cash management 14.3

oracle banking cash management 14.5

oracle communications brm - elastic charging engine 12.0

oracle communications brm - elastic charging engine 11.3

oracle communications unified inventory management 7.4.2

Vendor Advisories

Debian CVElist Bug Report Logs: libxstream-java: CVE-2021-29505
Debian Bug report logs - #989491 libxstream-java: CVE-2021-29505 Package: src:libxstream-java; Maintainer for src:libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 5 Jun 2021 07:33:01 UTC Severity: grave Tags: s ...
Red Hat: Moderate: Red Hat Decision Manager 7.12.0 security update
Synopsis Moderate: Red Hat Decision Manager 7120 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Decision ManagerRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed sever ...
Red Hat: Critical: Red Hat Process Automation Manager 7.12.0 security update
Synopsis Critical: Red Hat Process Automation Manager 7120 security update Type/Severity Security Advisory: Critical Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gi ...
Red Hat: Moderate: Red Hat Data Grid 8.3.0 security update
Synopsis Moderate: Red Hat Data Grid 830 security update Type/Severity Security Advisory: Moderate Topic An update for Red Hat Data Grid is now availableRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is ...
Red Hat: Important: Red Hat Fuse 7.11.0 release and security update
Synopsis Important: Red Hat Fuse 7110 release and security update Type/Severity Security Advisory: Important Topic A minor version update (from 710 to 711) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security has rated this update ...
Debian Security Advisories: DSA-5004-1 libxstream-java -- security update
Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream XStream itself sets up a whitelist by default now, ie it blocks all c ...
Amazon Linux 2: ALAS2-2021-1698
A flaw was found in XStream By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2021-29505) ...
Red Hat: CVE-2021-29505
### Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types ### Patches If you rely on XStream's defaul ...
Check Point Security Alerts: XStream Insecure Deserialization (CVE-2021-29505)
Check Point Reference: CPAI-2021-2076 Date Published: 15 Jan 2024 Severity: High ...

References

CWE-94CWE-502https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fchttps://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624fhttps://lists.debian.org/debian-lts-announce/2021/07/msg00004.htmlhttps://security.netapp.com/advisory/ntap-20210708-0007/https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.debian.org/security/2021/dsa-5004https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989491https://nvd.nist.govhttps://www.debian.org/security/2021/dsa-5004
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionfirmwareCVE-2006-4304CVE-2024-32878CVE-2024-31502XSSCVE-2024-3059CVE-2024-33692CVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook