CVE-2021-21341

CWE-400Uncontrolled Resource ConsumptionCWE-502Deserialization of Untrusted DataCWE-835CWE-770Allocation without Limits9 documents7 sources
Severity
7.5HIGH
EPSS
27.3%
top 3.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
X-stream XstreamApache ActivemqApache Jmeter+10 more
Timeline
PublishedMar 23
Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages13 packages

Debianlibxstream-java< 1.4.15-2+3
NVDxstream/xstream< 1.4.16
CVEListV5x-stream/xstream< 1.4.16

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
CVE-2021-21341: XStream is a Java library to serialize objects to XML and back again2021-03-23
OSV
XStream can cause a Denial of Service.2021-03-22
CVEList
XStream can cause a Denial of Service2021-03-22
GHSA
XStream can cause a Denial of Service.2021-03-22

📋Vendor Advisories

4
Ubuntu
XStream vulnerabilities2024-08-22
Ubuntu
XStream vulnerabilities2021-05-11
Red Hat
XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream2021-03-12
Debian
CVE-2021-21341: libxstream-java - XStream is a Java library to serialize objects to XML and back again. In XStream...2021