← Back

CVE-2021-39139

nvd nist
Published: Aug 23, 2021Modified: May 23, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Affected (36)

Products: Xstream: Xstream · Debian: Debian Linux · Fedoraproject: Fedora · +2 more
Show all products
Xstream: Xstream · Debian: Debian Linux · Fedoraproject: Fedora · Netapp: Snapmanager · Oracle: Business Activity Monitoring, Commerce Guided Search, Communications Billing And Revenue Management Elastic Charging Engine, Communications Cloud Native Core Automated Test Suite, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Policy, Communications Unified Inventory Management, Retail Xstore Point Of Service, Utilities Framework, Utilities Testing Accelerator, Webcenter Portal
Xstream
1 product
Xstream
Debian
1 product
Debian Linux
Fedoraproject
1 product
Fedora
Netapp
1 product
Snapmanager
Oracle
11 products
Business Activity Monitoring
Commerce Guided Search
Communications Billing And Revenue Management Elastic Charging Engine
Communications Cloud Native Core Automated Test Suite
Communications Cloud Native Core Binding Support Function
Communications Cloud Native Core Policy
Communications Unified Inventory Management
Retail Xstore Point Of Service
Utilities Framework
Utilities Testing Accelerator
Webcenter Portal
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Xstream
Before 1.4.18
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 10.0
Debian Linux
Version 11.0
Debian Linux
Version 9.0
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 33
Fedora
Version 34
Fedora
Version 35
Configuration D
2 vulnerable
Vulnerable SoftwareAffected Versions
Netapp
Snapmanager
All versions
Snapmanager
All versions
Configuration E
27 vulnerable
Vulnerable SoftwareAffected Versions
Business Activity Monitoring
Version 12.2.1.4.0
Commerce Guided Search
Version 11.3.2
Oracle
Communications Billing And Revenue Management Elastic Charging Engine
Version 11.3
Communications Billing And Revenue Management Elastic Charging Engine
Version 12.0
Communications Cloud Native Core Automated Test Suite
Version 1.9.0
Communications Cloud Native Core Binding Support Function
Version 1.10.0
Communications Cloud Native Core Policy
Version 1.14.0
Oracle
Communications Unified Inventory Management
Version 7.3.4
Communications Unified Inventory Management
Version 7.3.5
Communications Unified Inventory Management
Version 7.4.0
Communications Unified Inventory Management
Version 7.4.1
Communications Unified Inventory Management
Version 7.4.2
Oracle
Retail Xstore Point Of Service
Version 16.0.6
Retail Xstore Point Of Service
Version 17.0.4
Retail Xstore Point Of Service
Version 18.0.3
Retail Xstore Point Of Service
Version 19.0.2
Retail Xstore Point Of Service
Version 20.0.1
Oracle
Utilities Framework
Version 4.2.0.2.0
Utilities Framework
Version 4.2.0.3.0
Utilities Framework
Version 4.3.0.1.0
Utilities Framework
Version 4.3.0.6.0
Utilities Framework
Version 4.4.0.0.0
Utilities Framework
Version 4.4.0.2.0
Utilities Framework
Version 4.4.0.3.0
Utilities Testing Accelerator
Version 6.0.0.1.1
Oracle
Webcenter Portal
Version 12.2.1.3.0
Webcenter Portal
Version 12.2.1.4.0

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (22)

Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Mailing ListThird Party Advisory
Source: security-advisories@github.com
Mailing List
Source: security-advisories@github.com
Mailing List
Source: security-advisories@github.com
Mailing List
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.