Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2021-39146
Severity
8.5HIGH
EPSS
47.2%
top 2.32%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedAug 23
Latest updateMar 13
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0
Affected Packages15 packages
Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35
Patches
🔴Vulnerability Details
5OSV
▶
💥Exploits & PoCs
1Nuclei▶
XStream 1.4.18 - Arbitrary Code Execution