PT-2021-4780 · Xstream+7 · Xstream+7

Published

2021-03-12

·

Updated

2024-08-22

·

CVE-2021-21344

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.16
Description The issue is related to the XStream Java library, which is used for serializing objects to XML and back again. It may allow a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected.
Recommendations For versions prior to 1.4.16, update to at least version 1.4.16 to resolve the issue. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types.

Exploit

Fix

Unrestricted File Upload

Deserialization of Untrusted Data

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-502CWE-94

Related Identifiers

ALT-PU-2022-1100
ALT-PU-2022-2171
ALT-PU-2022-7660
ALT-PU-2023-1912
BDU:2021-05499
BDU:2021-05946
BIT-ACTIVEMQ-2021-21344
CESA-2021_1354
CVE-2021-21344
DLA-2616-1
DSA-5004-1
ELSA-2021-1354
GHSA-59JW-JQF4-3WQ3
MGASA-2021-0370
OESA-2021-1185
OPENSUSE-SU-2021:0832-1
OPENSUSE-SU-2021:1840-1
OPENSUSE-SU-2021_0832-1
OPENSUSE-SU-2021_1840-1
OPENSUSE-SU-2024:10592-1
RHSA-2021:1354
RHSA-2021_1354
SUSE-SU-2021:1840-1
SUSE-SU-2021:1840-2
USN-4943-1
USN-6978-1

Affected Products

Alt Linux
Astra Linux
Centos
Linuxmint
Red Hat
Suse
Ubuntu
Xstream