Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2021-39152 — Deserialization of Untrusted Data in Xstream
CWE-502 — Deserialization of Untrusted DataCWE-918 — Server-Side Request Forgery10 documents9 sources
Severity
8.5HIGHNVD
EPSS
61.8%
top 1.66%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedAug 23
Latest updateMar 13
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Secur…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0
Affected Packages13 packages
Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35
Patches
🔴Vulnerability Details
5OSV▶
A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host↗2021-08-25
GHSA▶
A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host↗2021-08-25
OSV
▶
💥Exploits & PoCs
1Nuclei▶
XStream <1.4.18 - Server-Side Request Forgery