PT-2021-4782 · Xstream+7 · Xstream+7

Published

2021-03-12

Updated

2024-08-22

CVE-2021-21347

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.16

Description The issue concerns a Java library used to serialize objects to XML and back again. It may allow a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up the security framework with a whitelist limited to the minimal required types are not affected. The vulnerability is related to unlimited loading of dangerous file types.

Recommendations For versions prior to 1.4.16, update to at least version 1.4.16 to resolve the issue. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types to prevent exploitation.

Exploit

Fix

Unrestricted File Upload

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-502

Related Identifiers

ALT-PU-2022-7660

BDU:2021-05501

BIT-ACTIVEMQ-2021-21347

CESA-2021_1354

CVE-2021-21347

DLA-2616-1

DSA-5004-1

ELSA-2021-1354

GHSA-QPFQ-PH7R-QV6F

MGASA-2021-0370

OESA-2021-1185

OPENSUSE-SU-2021:0832-1

OPENSUSE-SU-2021:1840-1

OPENSUSE-SU-2021_0832-1

OPENSUSE-SU-2021_1840-1

OPENSUSE-SU-2024:10592-1

RHSA-2021:1354

RHSA-2021_1354

SUSE-SU-2021:1840-1

SUSE-SU-2021:1840-2

USN-4943-1

USN-6978-1

Affected Products

Alt Linux

Astra Linux

Centos

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

PT-2021-4782 · Xstream+7 · Xstream+7

CVE-2021-21347

Weakness Enumeration

Related Identifiers

Affected Products

References · 123