Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-21351

CWE-434 — Unrestricted File Upload CWE-502 — Deserialization of Untrusted Data10 documents8 sources

Severity

9.1CRITICAL

EPSS

92.0%

top 0.30%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

X-stream Xstream Apache Activemq Apache Jmeter +13 more

Timeline

PublishedMar 23

Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NExploitability: 1.0 | Impact: 4.0

Affected Packages16 packages

▶Debianlibxstream-java< 1.4.15-2+3

▶NVDxstream/xstream< 1.4.16

▶CVEListV5x-stream/xstream< 1.4.16

▶Mavencom.thoughtworks.xstream:xstream< 1.4.16

▶NVDoracle/banking_enterprise_default_management2.10.0, 2.12.0+1

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

CVE-2021-21351: XStream is a Java library to serialize objects to XML and back again↗2021-03-23

▶

OSV

XStream is vulnerable to an Arbitrary Code Execution attack↗2021-03-22

▶

GHSA

XStream is vulnerable to an Arbitrary Code Execution attack↗2021-03-22

▶

CVEList

XStream is vulnerable to an Arbitrary Code Execution attack↗2021-03-22

▶

💥Exploits & PoCs

Nuclei

XStream <1.4.16 - Remote Code Execution

▶

📋Vendor Advisories

Ubuntu

XStream vulnerabilities↗2024-08-22

▶

Ubuntu

XStream vulnerabilities↗2021-05-11

▶

Red Hat

XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream↗2021-03-12

▶

Debian

CVE-2021-21351: libxstream-java - XStream is a Java library to serialize objects to XML and back again. In XStream...↗2021

▶