Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-39141

CWE-434 — Unrestricted File Upload CWE-502 — Deserialization of Untrusted Data10 documents8 sources

Severity

8.5HIGH

EPSS

81.8%

top 0.80%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

X-stream Xstream Xstream Xstream Debian Debian Linux +12 more

Timeline

PublishedAug 23

Latest updateMar 13

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages15 packages

▶NVDxstream/xstream< 1.4.18

▶CVEListV5x-stream/xstream< 1.4.18

▶Mavencom.thoughtworks.xstream:xstream< 1.4.18

▶Debianlibxstream-java< 1.4.15-3+deb11u1+3

▶NVDoracle/utilities_framework7 versions+6

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

libxstream-java vulnerabilities↗2023-03-13

▶

GHSA

XStream is vulnerable to an Arbitrary Code Execution attack↗2021-08-25

▶

OSV

XStream is vulnerable to an Arbitrary Code Execution attack↗2021-08-25

▶

CVEList

XStream is vulnerable to an Arbitrary Code Execution attack↗2021-08-23

▶

OSV

CVE-2021-39141: XStream is a simple library to serialize objects to XML and back again↗2021-08-23

▶

💥Exploits & PoCs

Nuclei

XStream 1.4.18 - Remote Code Execution

▶

📋Vendor Advisories

Ubuntu

XStream vulnerabilities↗2023-03-13

▶

Red Hat

xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*↗2021-08-22

▶

Debian

CVE-2021-39141: libxstream-java - XStream is a simple library to serialize objects to XML and back again. In affec...↗2021

▶