Published: 23/08/2021 Updated: 07/11/2023

CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8

CVSS v3 Base Score: 8.5 | Impact Score: 6 | Exploitability Score: 1.8

VMScore: 534

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote malicious user to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Vulnerable Product	Search on Vulmon	Subscribe to Product
xstream project xstream
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35
debian debian linux 9.0
debian debian linux 10.0
debian debian linux 11.0
netapp snapmanager -
oracle webcenter portal 12.2.1.3.0
oracle utilities framework 4.2.0.3.0
oracle utilities framework 4.2.0.2.0
oracle utilities framework 4.3.0.6.0
oracle utilities framework 4.4.0.0.0
oracle communications unified inventory management 7.3.4
oracle communications unified inventory management 7.3.5
oracle communications unified inventory management 7.4.0
oracle webcenter portal 12.2.1.4.0
oracle utilities framework 4.4.0.2.0
oracle communications billing and revenue management elastic charging engine 11.3
oracle communications billing and revenue management elastic charging engine 12.0
oracle business activity monitoring 12.2.1.4.0
oracle commerce guided search 11.3.2
oracle communications unified inventory management 7.4.1
oracle retail xstore point of service 16.0.6
oracle retail xstore point of service 17.0.4
oracle retail xstore point of service 18.0.3
oracle retail xstore point of service 19.0.2
oracle retail xstore point of service 20.0.1
oracle utilities framework 4.4.0.3.0
oracle utilities testing accelerator 6.0.0.1.1
oracle communications cloud native core binding support function 1.10.0
oracle utilities framework 4.3.0.1.0
oracle communications cloud native core policy 1.14.0
oracle communications unified inventory management 7.4.2
oracle communications cloud native core automated test suite 1.9.0

Debian Bug report logs - #998054 libxstream-java: vulnerable to CVE-2021-391{{3941},{4454}} Package: libxstream-java; Maintainer for libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for libxstream-java is src:libxstream-java (PTS, buildd, popcon) Reported by: Alex Thiessen ...

Synopsis Moderate: Red Hat Decision Manager 7120 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Decision ManagerRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed sever ...

Synopsis Critical: Red Hat Process Automation Manager 7120 security update Type/Severity Security Advisory: Critical Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gi ...

Synopsis Moderate: Red Hat Data Grid 830 security update Type/Severity Security Advisory: Moderate Topic An update for Red Hat Data Grid is now availableRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is ...

Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream XStream itself sets up a whitelist by default now, ie it blocks all c ...

A flaw was found in xstream, a simple library used to serialize objects to XML and back again This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (CVE-2021-391 ...

XStream is a simple library to serialize objects to XML and back again In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist ...

CWE-502 CWE-434 https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc https://x-stream.github.io/CVE-2021-39147.html https://security.netapp.com/advisory/ntap-20210923-0003/https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html https://www.debian.org/security/2021/dsa-5004 https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054 https://www.debian.org/security/2021/dsa-5004

CVE-2021-39147

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect