CVE-2021-29505
28.05.2021, 21:15
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
| Vendor | Product | Version |
|---|---|---|
| xstream | xstream | 𝑥 < 1.4.17 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 11.0 |
| netapp | snapmanager | - |
| netapp | snapmanager | - |
| oracle | banking_cash_management | 14.2 |
| oracle | banking_cash_management | 14.3 |
| oracle | banking_cash_management | 14.5 |
| oracle | banking_corporate_lending_process_management | 14.2.0 |
| oracle | banking_corporate_lending_process_management | 14.3.0 |
| oracle | banking_corporate_lending_process_management | 14.5.0 |
| oracle | banking_credit_facilities_process_management | 14.2.0 |
| oracle | banking_credit_facilities_process_management | 14.3.0 |
| oracle | banking_credit_facilities_process_management | 14.5.0 |
| oracle | banking_supply_chain_finance | 14.2.0 |
| oracle | banking_trade_finance_process_management | 14.5.0 |
| oracle | business_activity_monitoring | 11.1.1.9.0 |
| oracle | business_activity_monitoring | 12.2.1.3.0 |
| oracle | business_activity_monitoring | 12.2.1.4.0 |
| oracle | communications_brm_-_elastic_charging_engine | 11.3 |
| oracle | communications_brm_-_elastic_charging_engine | 12.0 |
| oracle | communications_unified_inventory_management | 7.3.4 |
| oracle | communications_unified_inventory_management | 7.3.5 |
| oracle | communications_unified_inventory_management | 7.4.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | communications_unified_inventory_management | 7.4.2 |
| oracle | enterprise_manager_ops_center | 12.4.0.0 |
| oracle | retail_customer_insights | 15.0.2 |
| oracle | retail_customer_insights | 16.0.2 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | retail_xstore_point_of_service | 20.0.1 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | webcenter_sites | 12.2.1.3.0 |
| oracle | webcenter_sites | 12.2.1.4.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-502 - Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
References