Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-21345

CWE-94 — Code Injection CWE-502 — Deserialization of Untrusted Data CWE-78 — OS Command Injection12 documents9 sources

Severity

9.9CRITICAL

EPSS

88.1%

top 0.51%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

X-stream Xstream Apache Activemq Apache Jmeter +13 more

Timeline

PublishedMar 23

Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:NExploitability: 1.3 | Impact: 4.0

Affected Packages16 packages

▶Debianlibxstream-java< 1.4.15-2+3

▶NVDxstream/xstream< 1.4.16

▶CVEListV5x-stream/xstream< 1.4.16

▶Mavencom.thoughtworks.xstream:xstream< 1.4.16

▶NVDoracle/banking_enterprise_default_management2.10.0, 2.12.0+1

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

CVE-2021-21345: XStream is a Java library to serialize objects to XML and back again↗2021-03-23

▶

GHSA

XStream is vulnerable to a Remote Command Execution attack↗2021-03-22

▶

CVEList

XStream is vulnerable to a Remote Command Execution attack↗2021-03-22

▶

OSV

XStream is vulnerable to a Remote Command Execution attack↗2021-03-22

▶

💥Exploits & PoCs

Nuclei

XStream < 1.4.16 - Remote Code Execution

▶

📋Vendor Advisories

Ubuntu

XStream vulnerabilities↗2024-08-22

▶

Oracle

Oracle Oracle Communications Risk Matrix: Policy (XStream) — CVE-2021-21345↗2021-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: CN ECE (XStream) — CVE-2021-21345↗2021-07-15

▶

Ubuntu

XStream vulnerabilities↗2021-05-11

▶

Red Hat

XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry↗2021-03-12

▶