CVE-2021-39145

CVSS v3.1

8.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description The issue allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. This can be done when using affected versions of XStream, a library to serialize objects to XML and back again. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations For versions prior to 1.4.18, update to version 1.4.18 or later, which uses a whitelist by default instead of a blacklist, to prevent the execution of arbitrary code. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-434

Related Identifiers

ALT-PU-2022-7660

CVE-2021-39145

DLA-2769-1

DSA-5004-1

GHSA-8JRJ-525P-826V

MGASA-2021-0474

OESA-2021-1337

OPENSUSE-SU-2021:1401-1

OPENSUSE-SU-2021:3476-1

OPENSUSE-SU-2021_1401-1

OPENSUSE-SU-2021_3476-1

RHSA-2021:3956

RHSA-2021_3956

SUSE-SU-2021:3476-1

USN-5946-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

CVE-2021-39145

Weakness Enumeration

Related Identifiers

Affected Products

References · 94