CVE-2021-39150
published 2021-08-23CVE-2021-39150: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data…
high8.5CVSS 3.1
AVNACHPRLUINSCCHIHAH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libxstream-java | < libxstream-java 1.4.18-1 (bookworm) | libxstream-java 1.4.18-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| oracle | business_activity_monitoring | — | — |
| oracle | commerce_guided_search | — | — |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | — | — |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | — | — |
| oracle | communications_cloud_native_core_automated_test_suite | — | — |
| oracle | communications_cloud_native_core_binding_support_function | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | utilities_framework | — | — |
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa8.5HIGH
osv8.8HIGH