PT-2021-3670 · Xstream+6 · Xstream+6

Published

2021-05-14

·

Updated

2025-09-29

·

CVE-2021-29505

CVSS v2.0

9.0

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.17
Description A vulnerability in XStream may allow a remote attacker with sufficient rights to execute commands of the host by manipulating the processed input stream. The issue is related to shortcomings in the deserialization mechanism. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected.
Recommendations For versions prior to 1.4.17, update to version 1.4.17 to resolve the issue. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types to minimize the risk of exploitation.

Exploit

Fix

Special Elements Injection

Deserialization of Untrusted Data

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-502CWE-94

Related Identifiers

ALSA-2025_16880
ALT-PU-2022-7660
BDU:2021-03903
CESA-2021_2683
CVE-2021-29505
DLA-2704-1
DSA-5004-1
ELSA-2021-2683
GHSA-7CHV-RRW6-W6FC
MGASA-2021-0370
OESA-2021-1208
OPENSUSE-SU-2021:0911-1
OPENSUSE-SU-2021:1995-1
OPENSUSE-SU-2021_0911-1
OPENSUSE-SU-2021_1995-1
OPENSUSE-SU-2024:10592-1
RHSA-2021:2683
RHSA-2021_2683
SUSE-SU-2021:1995-1
SUSE-SU-2021_1995-1

Affected Products

Alt Linux
Astra Linux
Centos
Jira
Red Hat
Suse
Xstream