CVE-2021-21342

Published: Mar 23, 2021Modified: May 23, 2025

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Affected (38)

Products: Netapp: Oncommand Insight · Apache: Activemq, Jmeter · Xstream: Xstream · +3 more

Show all products

1 product

2 products

1 product

1 product

1 product

9 products

Banking Enterprise Default Management

Banking Platform

Banking Virtual Account Management

Business Activity Monitoring

Communications Brm Elastic Charging Engine

Communications Policy Management

Communications Unified Inventory Management

Retail Xstore Point Of Service

Webcenter Portal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Insight	All versions

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq	Before 5.15.14
Apache Activemq	Version 5.16.0
Apache Activemq	Version 5.16.1
Apache Jmeter	Before 5.5

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Xstream Xstream	Before 1.4.16

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration F

26 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Enterprise Default Management	Version 2.10.0
Oracle Banking Enterprise Default Management	Version 2.12.0
Oracle Banking Platform	Version 2.12.0
Oracle Banking Platform	Version 2.4.0
Oracle Banking Platform	Version 2.7.1
Oracle Banking Platform	Version 2.9.0
Oracle Banking Virtual Account Management	Version 14.2.0
Oracle Banking Virtual Account Management	Version 14.3.0
Oracle Banking Virtual Account Management	Version 14.5.0
Oracle Business Activity Monitoring	Version 11.1.1.9.0
Oracle Business Activity Monitoring	Version 12.2.1.3.0
Oracle Business Activity Monitoring	Version 12.2.1.4.0
Oracle Communications Brm Elastic Charging Engine	Version 12.0.0.3
Oracle Communications Policy Management	Version 12.5.0
Oracle Communications Unified Inventory Management	Version 7.3.2
Oracle Communications Unified Inventory Management	Version 7.3.4
Oracle Communications Unified Inventory Management	Version 7.3.5
Oracle Communications Unified Inventory Management	Version 7.4.0
Oracle Communications Unified Inventory Management	Version 7.4.1
Oracle Retail Xstore Point Of Service	Version 16.0.6
Oracle Retail Xstore Point Of Service	Version 17.0.4
Oracle Retail Xstore Point Of Service	Version 18.0.3
Oracle Retail Xstore Point Of Service	Version 19.0.2
Oracle Webcenter Portal	Version 11.1.1.9.0
Oracle Webcenter Portal	Version 12.2.1.3.0
Oracle Webcenter Portal	Version 12.2.1.4.0

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.