CVE-2021-21343

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.16

Description XStream is a Java library used to serialize objects to XML and back again. The vulnerability exists in XStream before version 1.4.16, where an attacker can manipulate the processed input stream and replace or inject objects, resulting in the deletion of a file on the local host. This issue arises because XStream creates new instances based on type information in the processed stream at unmarshalling time. Users who have set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations For versions prior to 1.4.16, use at least version 1.4.16 to resolve the issue. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-73

Related Identifiers

ALT-PU-2022-7660

BIT-ACTIVEMQ-2021-21343

CVE-2021-21343

DLA-2616-1

DSA-5004-1

GHSA-74CV-F58X-F9WF

MGASA-2021-0370

OESA-2021-1185

OPENSUSE-SU-2021:0832-1

OPENSUSE-SU-2021:1840-1

OPENSUSE-SU-2021_0832-1

OPENSUSE-SU-2021_1840-1

OPENSUSE-SU-2024:10592-1

SUSE-SU-2021:1840-1

SUSE-SU-2021:1840-2

USN-4943-1

USN-6978-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Suse

Ubuntu

Xstream

CVE-2021-21343

Weakness Enumeration

Related Identifiers

Affected Products

References · 117