CVE-2021-21351

Published: Mar 23, 2021Modified: May 23, 2025

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: NVD

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Affected (39)

Products: Netapp: Oncommand Insight · Apache: Activemq, Jmeter · Xstream: Xstream · +3 more

Show all products

1 product

2 products

1 product

1 product

1 product

10 products

Banking Enterprise Default Management

Banking Platform

Banking Virtual Account Management

Business Activity Monitoring

Communications Billing And Revenue Management Elastic Charging Engine

Communications Policy Management

Communications Unified Inventory Management

Mysql Server

Retail Xstore Point Of Service

Webcenter Portal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Insight	All versions

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq	Before 5.15.14
Apache Activemq	Version 5.16.0
Apache Activemq	Version 5.16.1
Apache Jmeter	Before 5.5

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Xstream Xstream	Before 1.4.16

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration F

27 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Enterprise Default Management	Version 2.10.0
Oracle Banking Enterprise Default Management	Version 2.12.0
Oracle Banking Platform	Version 2.12.0
Oracle Banking Platform	Version 2.4.0
Oracle Banking Platform	Version 2.7.1
Oracle Banking Platform	Version 2.9.0
Oracle Banking Virtual Account Management	Version 14.2.0
Oracle Banking Virtual Account Management	Version 14.3.0
Oracle Banking Virtual Account Management	Version 14.5.0
Oracle Business Activity Monitoring	Version 11.1.1.9.0
Oracle Business Activity Monitoring	Version 12.2.1.3.0
Oracle Business Activity Monitoring	Version 12.2.1.4.0
Oracle Communications Billing And Revenue Management Elastic Charging Engine	Version 12.0.0.3.0
Oracle Communications Policy Management	Version 12.5.0
Oracle Communications Unified Inventory Management	Version 7.3.2
Oracle Communications Unified Inventory Management	Version 7.3.4
Oracle Communications Unified Inventory Management	Version 7.3.5
Oracle Communications Unified Inventory Management	Version 7.4.0
Oracle Communications Unified Inventory Management	Version 7.4.1
Oracle Mysql Server	Up to 8.0.27
Oracle Retail Xstore Point Of Service	Version 16.0.6
Oracle Retail Xstore Point Of Service	Version 17.0.4
Oracle Retail Xstore Point Of Service	Version 18.0.3
Oracle Retail Xstore Point Of Service	Version 19.0.2
Oracle Webcenter Portal	Version 11.1.1.9.0
Oracle Webcenter Portal	Version 12.2.1.3.0
Oracle Webcenter Portal	Version 12.2.1.4.0

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.