CVE-2021-21349

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
GitHub_MCNA
6.1 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
netapponcommand_insight
-
apacheactivemq
𝑥
< 5.15.14
apacheactivemq
5.16.0
apacheactivemq
5.16.1
apachejmeter
𝑥
< 5.5
xstreamxstream
𝑥
< 1.4.16
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
oraclebanking_enterprise_default_management
2.10.0
oraclebanking_enterprise_default_management
2.12.0
oraclebanking_platform
2.4.0
oraclebanking_platform
2.7.1
oraclebanking_platform
2.9.0
oraclebanking_platform
2.12.0
oraclebanking_virtual_account_management
14.2.0
oraclebanking_virtual_account_management
14.3.0
oraclebanking_virtual_account_management
14.5.0
oraclebusiness_activity_monitoring
11.1.1.9.0
oraclebusiness_activity_monitoring
12.2.1.3.0
oraclebusiness_activity_monitoring
12.2.1.4.0
oraclecommunications_billing_and_revenue_management_elastic_charging_engine
12.0.0.3.0
oraclecommunications_policy_management
12.5.0
oraclecommunications_unified_inventory_management
7.3.2
oraclecommunications_unified_inventory_management
7.3.4
oraclecommunications_unified_inventory_management
7.3.5
oraclecommunications_unified_inventory_management
7.4.0
oraclecommunications_unified_inventory_management
7.4.1
oraclegraalvm
20.3.4
oraclegraalvm
21.3.0
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
oraclewebcenter_portal
11.1.1.9.0
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxstream-java
bullseye (security)
1.4.15-3+deb11u2
fixed
bullseye
1.4.15-3+deb11u2
fixed
bookworm
1.4.20-1
fixed
sid
1.4.20-2
fixed
trixie
1.4.20-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxstream-java
noble
Fixed 1.4.15-2
released
mantic
Fixed 1.4.15-2
released
lunar
Fixed 1.4.15-2
released
kinetic
Fixed 1.4.15-2
released
jammy
Fixed 1.4.15-2
released
impish
Fixed 1.4.15-2
released
hirsute
Fixed 1.4.15-1ubuntu0.1
released
groovy
Fixed 1.4.11.1-2ubuntu0.1
released
focal
Fixed 1.4.11.1-1ubuntu0.2
released
bionic
Fixed 1.4.11.1-1~18.04.2
released
xenial
Fixed 1.4.8-1ubuntu0.1+esm3
released
trusty
Fixed 1.4.7-1ubuntu0.1+esm2
released
Common Weakness Enumeration
References
http://x-stream.github.io/changes.html#1.4.16
https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210430-0002/
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://x-stream.github.io/CVE-2021-21349.html
https://x-stream.github.io/security.html#workaround
http://x-stream.github.io/changes.html#1.4.16
https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210430-0002/
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://x-stream.github.io/CVE-2021-21349.html
https://x-stream.github.io/security.html#workaround