CVE-2021-21349

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.16

Description The issue is related to the XStream Java library, which is used to serialize objects to XML and back again. A vulnerability may allow a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream. This can be exploited if the default blacklist of the Security Framework is relied upon. Users who have set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations To resolve the issue, use at least version 1.4.16 of XStream if you rely on the default blacklist of the Security Framework. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-918

Related Identifiers

ALT-PU-2022-7660

BDU:2021-05486

BIT-ACTIVEMQ-2021-21349

CVE-2021-21349

DLA-2616-1

DSA-5004-1

GHSA-F6HM-88X3-MFJV

MGASA-2021-0370

OESA-2021-1185

OPENSUSE-SU-2021:0832-1

OPENSUSE-SU-2021:1840-1

OPENSUSE-SU-2021_0832-1

OPENSUSE-SU-2021_1840-1

OPENSUSE-SU-2024:10592-1

SUSE-SU-2021:1840-1

SUSE-SU-2021:1840-2

USN-4943-1

USN-6978-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Suse

Ubuntu

Xstream

CVE-2021-21349

Weakness Enumeration

Related Identifiers

Affected Products

References · 120