CVE-2021-21342

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
netapponcommand_insight
-
apacheactivemq
𝑥
< 5.15.14
apacheactivemq
5.16.0
apacheactivemq
5.16.1
apachejmeter
𝑥
< 5.5
xstreamxstream
𝑥
< 1.4.16
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
oraclebanking_enterprise_default_management
2.10.0
oraclebanking_enterprise_default_management
2.12.0
oraclebanking_platform
2.4.0
oraclebanking_platform
2.7.1
oraclebanking_platform
2.9.0
oraclebanking_platform
2.12.0
oraclebanking_virtual_account_management
14.2.0
oraclebanking_virtual_account_management
14.3.0
oraclebanking_virtual_account_management
14.5.0
oraclebusiness_activity_monitoring
11.1.1.9.0
oraclebusiness_activity_monitoring
12.2.1.3.0
oraclebusiness_activity_monitoring
12.2.1.4.0
oraclecommunications_brm_-_elastic_charging_engine
12.0.0.3
oraclecommunications_policy_management
12.5.0
oraclecommunications_unified_inventory_management
7.3.2
oraclecommunications_unified_inventory_management
7.3.4
oraclecommunications_unified_inventory_management
7.3.5
oraclecommunications_unified_inventory_management
7.4.0
oraclecommunications_unified_inventory_management
7.4.1
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
oraclewebcenter_portal
11.1.1.9.0
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxstream-java
bullseye (security)
1.4.15-3+deb11u2
fixed
bullseye
1.4.15-3+deb11u2
fixed
bookworm
1.4.20-1
fixed
sid
1.4.20-2
fixed
trixie
1.4.20-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxstream-java
noble
Fixed 1.4.15-2
released
mantic
Fixed 1.4.15-2
released
lunar
Fixed 1.4.15-2
released
kinetic
Fixed 1.4.15-2
released
jammy
Fixed 1.4.15-2
released
impish
Fixed 1.4.15-2
released
hirsute
Fixed 1.4.15-1ubuntu0.1
released
groovy
Fixed 1.4.11.1-2ubuntu0.1
released
focal
Fixed 1.4.11.1-1ubuntu0.2
released
bionic
Fixed 1.4.11.1-1~18.04.2
released
xenial
Fixed 1.4.8-1ubuntu0.1+esm3
released
trusty
Fixed 1.4.7-1ubuntu0.1+esm2
released
Common Weakness Enumeration
References
http://x-stream.github.io/changes.html#1.4.16
https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210430-0002/
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://x-stream.github.io/CVE-2021-21342.html
https://x-stream.github.io/security.html#workaround
http://x-stream.github.io/changes.html#1.4.16
https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210430-0002/
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://x-stream.github.io/CVE-2021-21342.html
https://x-stream.github.io/security.html#workaround