CVE-2021-21342

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.16

Description The issue is related to the deserialization mechanism in the XStream Java library, which is used for converting objects to XML or JSON formats. An attacker can exploit this by manipulating the input stream, allowing them to access protected information and forge requests on the server-side. This can be done by replacing or injecting objects based on the type information in the processed stream. Users who have set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations To resolve the issue, use at least version 1.4.16 of XStream if you rely on the default blacklist of the Security Framework. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-918

Related Identifiers

ALT-PU-2022-7660

BDU:2021-06161

BIT-ACTIVEMQ-2021-21342

CVE-2021-21342

DLA-2616-1

DSA-5004-1

GHSA-HVV8-336G-RX3M

MGASA-2021-0370

OESA-2021-1185

OPENSUSE-SU-2021:0832-1

OPENSUSE-SU-2021:1840-1

OPENSUSE-SU-2021_0832-1

OPENSUSE-SU-2021_1840-1

OPENSUSE-SU-2024:10592-1

SUSE-SU-2021:1840-1

SUSE-SU-2021:1840-2

USN-4943-1

USN-6978-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Suse

Ubuntu

Xstream

CVE-2021-21342

Weakness Enumeration

Related Identifiers

Affected Products

References · 123