PT-2021-22404 · Xstream+6 · Xstream+6

Published

2021-08-23

Updated

2023-03-13

CVE-2021-39148

CVSS v3.1

8.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description The issue allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations For versions prior to 1.4.18, setup XStream's security framework with a whitelist limited to the minimal required types to prevent exploitation. As a temporary workaround, consider disabling the use of blacklists in XStream until a patch is available. Update to version 1.4.18 or later, which uses a whitelist by default and does not rely on a blacklist for security.

Exploit

Fix

Deserialization of Untrusted Data

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-434

Related Identifiers

ALT-PU-2022-7660

CVE-2021-39148

DLA-2769-1

DSA-5004-1

ELSA-2021-3956

GHSA-QRX8-8545-4WG2

MGASA-2021-0474

OESA-2021-1337

OPENSUSE-SU-2021:1401-1

OPENSUSE-SU-2021:3476-1

OPENSUSE-SU-2021_1401-1

OPENSUSE-SU-2021_3476-1

RHSA-2021:3956

RHSA-2021_3956

SUSE-SU-2021:3476-1

USN-5946-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

PT-2021-22404 · Xstream+6 · Xstream+6

CVE-2021-39148

Weakness Enumeration

Related Identifiers

Affected Products

References · 92