PT-2021-22407 · Xstream+6 · Xstream+6

Published

2021-08-23

·

Updated

2024-06-15

·

CVE-2021-39150

CVSS v3.1

8.5

High

VectorAV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18
Description XStream is a simple library to serialize objects to XML and back again. In affected versions, this issue may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 8 to 14. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.
Recommendations To resolve the issue, use at least version 1.4.18 of XStream. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, ensure you are using at least version 1.4.18.

Exploit

Fix

SSRF

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-502

Related Identifiers

ALT-PU-2022-7660
CVE-2021-39150
DLA-2769-1
DSA-5004-1
ELSA-2021-3956
GHSA-CXFM-5M4G-X7XP
MGASA-2021-0474
OESA-2021-1337
OPENSUSE-SU-2021:1401-1
OPENSUSE-SU-2021:3476-1
OPENSUSE-SU-2021_1401-1
OPENSUSE-SU-2021_3476-1
OPENSUSE-SU-2024:10592-1
RHSA-2021:3956
RHSA-2021_3956
SUSE-SU-2021:3476-1
USN-5946-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Red Hat
Suse
Ubuntu
Xstream