A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote malicious user to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-39139) XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote malicious user to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140) A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote malicious user to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-39141) (CVE-2021-39144) (CVE-2021-39145) (CVE-2021-39146) (CVE-2021-39147) (CVE-2021-39148) (CVE-2021-39149) (CVE-2021-39151) (CVE-2021-39153) (CVE-2021-39154) A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote malicious user to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-39150) (CVE-2021-39152)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
xstream project xstream |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
fedoraproject fedora 33 |
||
fedoraproject fedora 34 |
||
fedoraproject fedora 35 |
||
netapp snapmanager - |
||
oracle webcenter portal 12.2.1.3.0 |
||
oracle utilities framework 4.2.0.3.0 |
||
oracle utilities framework 4.2.0.2.0 |
||
oracle utilities framework 4.3.0.6.0 |
||
oracle utilities framework 4.4.0.0.0 |
||
oracle communications unified inventory management 7.3.4 |
||
oracle communications unified inventory management 7.3.5 |
||
oracle communications unified inventory management 7.4.0 |
||
oracle webcenter portal 12.2.1.4.0 |
||
oracle utilities framework 4.4.0.2.0 |
||
oracle communications billing and revenue management elastic charging engine 11.3 |
||
oracle communications billing and revenue management elastic charging engine 12.0 |
||
oracle business activity monitoring 12.2.1.4.0 |
||
oracle commerce guided search 11.3.2 |
||
oracle communications unified inventory management 7.4.1 |
||
oracle retail xstore point of service 16.0.6 |
||
oracle retail xstore point of service 17.0.4 |
||
oracle retail xstore point of service 18.0.3 |
||
oracle retail xstore point of service 19.0.2 |
||
oracle retail xstore point of service 20.0.1 |
||
oracle utilities framework 4.4.0.3.0 |
||
oracle utilities testing accelerator 6.0.0.1.1 |
||
oracle communications cloud native core binding support function 1.10.0 |
||
oracle utilities framework 4.3.0.1.0 |
||
oracle communications cloud native core policy 1.14.0 |
||
oracle communications unified inventory management 7.4.2 |
||
oracle communications cloud native core automated test suite 1.9.0 |
Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Make sure you're patched – and update VMware Cloud Foundation, too, by the way
Cisco says miscreants are exploiting two vulnerabilities in its AnyConnect Secure Mobility Client for Windows, which is supposed to ensure safe VPN access for remote workers. One of the pair of flaws, tracked as CVE-2020-3433, is a privilege-escalation issue: an authenticated, local user can exploit AnyConnect to execute code with SYSTEM-level privileges. A rogue insider or malware on a PC can use this to gain total control over the system. It affects Cisco AnyConnect Secure Mobility Client for ...
Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Plus: Misconfigured server leaks Reuters data; VMware patches critical flaw in retired software; MalwareBytes apologies for a hoodie
In brief Apple has patched an iOS and iPad OS vulnerability that's already been exploited. Crediting an anonymous security researcher with reporting the issue, Apple said the problem involves an out-of-bounds write issue – which involves adding data past the end or before the beginning of a buffer. The impacts can bedata corruption, a crash or the chance to execute arbitrary code with kernel privileges. Apple issued patches for iOS 16.1 and iPad OS 16, to address this and 19 other vulner...