CVE-2021-39140

CWE-502Deserialization of Untrusted DataCWE-83510 documents8 sources
Severity
6.3MEDIUM
EPSS
0.1%
top 66.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
15
X-stream XstreamXstream XstreamDebian Debian Linux+12 more
Timeline
PublishedAug 23
Latest updateMar 13

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages16 packages

NVDxstream/xstream< 1.4.18
CVEListV5x-stream/xstream< 1.4.18
Debianlibxstream-java< 1.4.15-3+deb11u1+3
Ubuntulibxstream-java< 1.4.11.1-1+deb10u4build0.18.04.1+4

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
libxstream-java vulnerabilities2023-03-13
GHSA
XStream can cause a Denial of Service2021-08-25
OSV
XStream can cause a Denial of Service2021-08-25
CVEList
XStream can cause a Denial of Service2021-08-23
OSV
CVE-2021-39140: XStream is a simple library to serialize objects to XML and back again2021-08-23

📋Vendor Advisories

4
Ubuntu
XStream vulnerabilities2023-03-13
Oracle
Oracle Oracle Communications Risk Matrix: Policy (XStream) — CVE-2021-391402022-04-15
Red Hat
xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler2021-08-22
Debian
CVE-2021-39140: libxstream-java - XStream is a simple library to serialize objects to XML and back again. In affec...2021