CVE-2021-21347

CWE-434Unrestricted File UploadCWE-502Deserialization of Untrusted Data9 documents7 sources
Severity
9.8CRITICAL
EPSS
3.3%
top 12.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
16
X-stream XstreamApache ActivemqApache Jmeter+13 more
Timeline
PublishedMar 23
Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:NExploitability: 1.6 | Impact: 4.0

Affected Packages16 packages

Debianlibxstream-java< 1.4.15-2+3
NVDxstream/xstream< 1.4.16
CVEListV5x-stream/xstream< 1.4.16

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
CVE-2021-21347: XStream is a Java library to serialize objects to XML and back again2021-03-23
OSV
XStream is vulnerable to an Arbitrary Code Execution attack2021-03-22
CVEList
XStream is vulnerable to an Arbitrary Code Execution attack2021-03-22
GHSA
XStream is vulnerable to an Arbitrary Code Execution attack2021-03-22

📋Vendor Advisories

4
Ubuntu
XStream vulnerabilities2024-08-22
Ubuntu
XStream vulnerabilities2021-05-11
Red Hat
XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator2021-03-12
Debian
CVE-2021-21347: libxstream-java - XStream is a Java library to serialize objects to XML and back again. In XStream...2021