CVE-2021-21350

CWE-434Unrestricted File UploadCWE-502Deserialization of Untrusted Data9 documents7 sources
Severity
9.8CRITICAL
EPSS
8.8%
top 7.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
16
X-stream XstreamApache ActivemqApache Jmeter+13 more
Timeline
PublishedMar 23
Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages16 packages

Debianlibxstream-java< 1.4.15-2+3
NVDxstream/xstream< 1.4.16
CVEListV5x-stream/xstream< 1.4.16

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
CVE-2021-21350: XStream is a Java library to serialize objects to XML and back again2021-03-23
OSV
XStream is vulnerable to an Arbitrary Code Execution attack2021-03-22
CVEList
XStream is vulnerable to an Arbitrary Code Execution attack2021-03-22
GHSA
XStream is vulnerable to an Arbitrary Code Execution attack2021-03-22

📋Vendor Advisories

4
Ubuntu
XStream vulnerabilities2024-08-22
Ubuntu
XStream vulnerabilities2021-05-11
Red Hat
XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader2021-03-12
Debian
CVE-2021-21350: libxstream-java - XStream is a Java library to serialize objects to XML and back again. In XStream...2021