CVE-2021-39154

CVSS v3.1

8.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description The issue allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations For versions prior to 1.4.18, consider setting up XStream's security framework with a whitelist limited to the minimal required types as a temporary workaround until a patch is available. Update to version 1.4.18 or later, which uses a whitelist by default and no longer relies on a blacklist for security.

Exploit

Fix

Deserialization of Untrusted Data

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-434

Related Identifiers

ALT-PU-2022-7660

CVE-2021-39154

DLA-2769-1

DSA-5004-1

ELSA-2021-3956

GHSA-6W62-HX7R-MW68

MGASA-2021-0474

OESA-2021-1337

OPENSUSE-SU-2021:1401-1

OPENSUSE-SU-2021:3476-1

OPENSUSE-SU-2021_1401-1

OPENSUSE-SU-2021_3476-1

RHSA-2021:3956

RHSA-2021_3956

SUSE-SU-2021:3476-1

USN-5946-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

CVE-2021-39154

Weakness Enumeration

Related Identifiers

Affected Products

References · 93