CVE-2021-39150

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
GitHub_MCNA
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
xstreamxstream
𝑥
< 1.4.18
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
netappsnapmanager
-
netappsnapmanager
-
oraclebusiness_activity_monitoring
12.2.1.4.0
oraclecommerce_guided_search
11.3.2
oraclecommunications_billing_and_revenue_management_elastic_charging_engine
11.3
oraclecommunications_billing_and_revenue_management_elastic_charging_engine
12.0
oraclecommunications_cloud_native_core_automated_test_suite
1.9.0
oraclecommunications_cloud_native_core_binding_support_function
1.10.0
oraclecommunications_cloud_native_core_policy
1.14.0
oraclecommunications_unified_inventory_management
7.3.4
oraclecommunications_unified_inventory_management
7.3.5
oraclecommunications_unified_inventory_management
7.4.0
oraclecommunications_unified_inventory_management
7.4.1
oraclecommunications_unified_inventory_management
7.4.2
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
oracleretail_xstore_point_of_service
20.0.1
oracleutilities_framework
4.2.0.2.0
oracleutilities_framework
4.2.0.3.0
oracleutilities_framework
4.3.0.1.0
oracleutilities_framework
4.3.0.6.0
oracleutilities_framework
4.4.0.0.0
oracleutilities_framework
4.4.0.2.0
oracleutilities_framework
4.4.0.3.0
oracleutilities_testing_accelerator
6.0.0.1.1
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxstream-java
bullseye (security)
1.4.15-3+deb11u2
fixed
bullseye
1.4.15-3+deb11u2
fixed
bookworm
1.4.20-1
fixed
sid
1.4.20-2
fixed
trixie
1.4.20-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxstream-java
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
ignored
hirsute
ignored
focal
Fixed 1.4.11.1-1ubuntu0.3
released
bionic
Fixed 1.4.11.1-1+deb10u4build0.18.04.1
released
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210923-0003/
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://x-stream.github.io/CVE-2021-39150.html
https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210923-0003/
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://x-stream.github.io/CVE-2021-39150.html