XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote malicious user to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
xstream project xstream |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
fedoraproject fedora 33 |
||
fedoraproject fedora 34 |
||
fedoraproject fedora 35 |
||
netapp snapmanager - |
||
oracle webcenter portal 12.2.1.3.0 |
||
oracle utilities framework 4.2.0.3.0 |
||
oracle utilities framework 4.2.0.2.0 |
||
oracle utilities framework 4.3.0.6.0 |
||
oracle utilities framework 4.4.0.0.0 |
||
oracle communications unified inventory management 7.3.4 |
||
oracle communications unified inventory management 7.3.5 |
||
oracle communications unified inventory management 7.4.0 |
||
oracle webcenter portal 12.2.1.4.0 |
||
oracle utilities framework 4.4.0.2.0 |
||
oracle communications billing and revenue management elastic charging engine 11.3 |
||
oracle communications billing and revenue management elastic charging engine 12.0 |
||
oracle business activity monitoring 12.2.1.4.0 |
||
oracle commerce guided search 11.3.2 |
||
oracle communications unified inventory management 7.4.1 |
||
oracle retail xstore point of service 16.0.6 |
||
oracle retail xstore point of service 17.0.4 |
||
oracle retail xstore point of service 18.0.3 |
||
oracle retail xstore point of service 19.0.2 |
||
oracle retail xstore point of service 20.0.1 |
||
oracle utilities framework 4.4.0.3.0 |
||
oracle utilities testing accelerator 6.0.0.1.1 |
||
oracle communications cloud native core binding support function 1.10.0 |
||
oracle utilities framework 4.3.0.1.0 |
||
oracle communications cloud native core policy 1.14.0 |
||
oracle communications unified inventory management 7.4.2 |
||
oracle communications cloud native core automated test suite 1.9.0 |