PT-2021-22403 · Xstream+6 · Xstream+6

Published

2021-08-23

Updated

2024-06-15

CVE-2021-39147

CVSS v3.1

8.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description The issue allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected. The vulnerability is related to the use of a blacklist, which cannot be secured for general purpose, and has been addressed in XStream 1.4.18 by using a whitelist by default.

Recommendations For versions prior to 1.4.18, setup XStream's security framework with a whitelist limited to the minimal required types to prevent exploitation. As a temporary workaround, consider configuring the security framework to only allow the necessary types until a patch is available.

Exploit

Fix

Deserialization of Untrusted Data

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-434

Related Identifiers

ALT-PU-2022-7660

CVE-2021-39147

DLA-2769-1

DSA-5004-1

ELSA-2021-3956

GHSA-H7V4-7XG3-HXCC

MGASA-2021-0474

OESA-2021-1337

OPENSUSE-SU-2021:1401-1

OPENSUSE-SU-2021:3476-1

OPENSUSE-SU-2021_1401-1

OPENSUSE-SU-2021_3476-1

OPENSUSE-SU-2024:10592-1

RHSA-2021:3956

RHSA-2021_3956

SUSE-SU-2021:3476-1

USN-5946-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

PT-2021-22403 · Xstream+6 · Xstream+6

CVE-2021-39147

Weakness Enumeration

Related Identifiers

Affected Products

References · 111