CVE-2021-39146

CVSS v3.1

8.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description This issue may allow a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected. The vulnerability is related to the library's ability to serialize objects to XML and back again.

Recommendations For versions prior to 1.4.18, consider setting up XStream's security framework with a whitelist limited to the minimal required types to mitigate the risk of exploitation. As a temporary workaround, restrict the use of the library's default blacklist configuration, as it cannot be secured for general purpose. Update to version 1.4.18 or later, which uses a whitelist by default.

Exploit

Fix

Deserialization of Untrusted Data

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-434

Related Identifiers

ALT-PU-2022-7660

CVE-2021-39146

DLA-2769-1

DSA-5004-1

GHSA-P8PQ-R894-FM8F

MGASA-2021-0474

OESA-2021-1337

OPENSUSE-SU-2021:1401-1

OPENSUSE-SU-2021:3476-1

OPENSUSE-SU-2021_1401-1

OPENSUSE-SU-2021_3476-1

RHSA-2021:3956

RHSA-2021_3956

SUSE-SU-2021:3476-1

USN-5946-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

CVE-2021-39146

Weakness Enumeration

Related Identifiers

Affected Products

References · 94