PT-2021-22408 · Xstream+6 · Xstream+6

Published

2021-08-23

Updated

2023-03-13

CVE-2021-39151

CVSS v3.1

8.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description XStream is a library used to serialize objects to XML and back again. This issue may allow a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations For versions prior to 1.4.18, consider setting up XStream's security framework with a whitelist limited to the minimal required types as a temporary workaround until a patch is available. Update to XStream version 1.4.18 or later, which no longer uses a blacklist by default.

Exploit

Fix

Deserialization of Untrusted Data

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-434

Related Identifiers

ALT-PU-2022-7660

CVE-2021-39151

DLA-2769-1

DSA-5004-1

ELSA-2021-3956

GHSA-HPH2-M3G5-XXV4

MGASA-2021-0474

OESA-2021-1337

OPENSUSE-SU-2021:1401-1

OPENSUSE-SU-2021:3476-1

OPENSUSE-SU-2021_1401-1

OPENSUSE-SU-2021_3476-1

RHSA-2021:3956

RHSA-2021_3956

SUSE-SU-2021:3476-1

USN-5946-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

PT-2021-22408 · Xstream+6 · Xstream+6

CVE-2021-39151

Weakness Enumeration

Related Identifiers

Affected Products

References · 93