CVE-2021-39153
Severity
8.5HIGH
EPSS
0.7%
top 28.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 23
Latest updateMar 13
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0
Affected Packages13 packages
Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35
Patches
🔴Vulnerability Details
4OSV
▶
📋Vendor Advisories
5Oracle▶
Oracle Oracle Communications Risk Matrix: Automated Test Suite Framework (XStream) — CVE-2021-39153↗2022-04-15
Red Hat▶
xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl↗2021-08-22
Debian▶
CVE-2021-39153: libxstream-java - XStream is a simple library to serialize objects to XML and back again. In affec...↗2021