CVE-2021-29505: XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has…

high8.8CVSS 3.1

AVNACLPRLUINSUCHIHAH

EXPLOIT

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

Affected

42 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	libxstream-java	< libxstream-java 1.4.15-3 (bookworm)	libxstream-java 1.4.15-3 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
oracle	banking_cash_management	—	—
oracle	banking_cash_management	—	—
oracle	banking_cash_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_trade_finance_process_management	—	—
oracle	business_activity_monitoring	—	—
oracle	business_activity_monitoring	—	—
oracle	business_activity_monitoring	—	—
oracle	communications_brm_elastic_charging_engine	—	—
oracle	communications_brm_elastic_charging_engine	—	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ghsa8.8HIGH

osv8.8HIGH