CVE-2021-21348

CWE-400Uncontrolled Resource ConsumptionCWE-502Deserialization of Untrusted DataCWE-13339 documents7 sources
Severity
7.5HIGH
EPSS
0.3%
top 51.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
16
X-stream XstreamApache ActivemqApache Jmeter+13 more
Timeline
PublishedMar 23
Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages16 packages

Debianlibxstream-java< 1.4.15-2+3
NVDxstream/xstream< 1.4.16
CVEListV5x-stream/xstream< 1.4.16

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
CVE-2021-21348: XStream is a Java library to serialize objects to XML and back again2021-03-23
OSV
XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)2021-03-22
GHSA
XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)2021-03-22
CVEList
XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)2021-03-22

📋Vendor Advisories

4
Ubuntu
XStream vulnerabilities2024-08-22
Ubuntu
XStream vulnerabilities2021-05-11
Red Hat
XStream: ReDoS vulnerability2021-03-12
Debian
CVE-2021-21348: libxstream-java - XStream is a Java library to serialize objects to XML and back again. In XStream...2021