CVE-2021-39153
published 2021-08-23CVE-2021-39153: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute…
high8.5CVSS 3.1
AVNACHPRLUINSCCHIHAH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libxstream-java | < libxstream-java 1.4.18-1 (bookworm) | libxstream-java 1.4.18-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| oracle | business_activity_monitoring | — | — |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | — | — |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | — | — |
| oracle | communications_cloud_native_core_automated_test_suite | — | — |
| oracle | communications_cloud_native_core_binding_support_function | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | communications_unified_inventory_management | — | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa8.5HIGH
osv8.8HIGH