CVE-2021-39152

CVSS v3.1

8.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description XStream is a simple library to serialize objects to XML and back again. In affected versions, this issue may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Recommendations To resolve the issue, use at least version 1.4.18 if you rely on XStream's default blacklist of the Security Framework. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types.

Exploit

Fix

SSRF

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-502

Related Identifiers

ALT-PU-2022-7660

CVE-2021-39152

DLA-2769-1

DSA-5004-1

ELSA-2021-3956

GHSA-XW4P-CRPJ-VJX2

MGASA-2021-0474

OESA-2021-1337

OPENSUSE-SU-2021:1401-1

OPENSUSE-SU-2021:3476-1

OPENSUSE-SU-2021_1401-1

OPENSUSE-SU-2021_3476-1

RHSA-2021:3956

RHSA-2021_3956

SUSE-SU-2021:3476-1

USN-5946-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

CVE-2021-39152

Weakness Enumeration

Related Identifiers

Affected Products

References · 89