CVE-2021-39139
Severity
8.8HIGH
EPSS
0.8%
top 25.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 23
Latest updateMar 13
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommen…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0
Affected Packages15 packages
Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35
Patches
🔴Vulnerability Details
5OSV
▶
📋Vendor Advisories
6Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (XStream) — CVE-2021-39139↗2022-07-15
Oracle▶
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (XStream) — CVE-2021-39139↗2022-04-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Updater (XStream) — CVE-2021-39139↗2022-01-15
Red Hat▶
xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl↗2021-08-22