CVE-2021-29505

HIGH
Published May 28, 20215y ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published May 28, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-502 Deserialization of Untrusted Data Validation
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 42

VendorProductVersionRange
xstreamxstream* <1.4.17
debiandebian_linux9.0any
debiandebian_linux10.0any
debiandebian_linux11.0any
fedoraprojectfedora33any
fedoraprojectfedora34any
fedoraprojectfedora35any
netappsnapmanager*any
netappsnapmanager*any
oraclebanking_cash_management14.2any
oraclebanking_cash_management14.3any
oraclebanking_cash_management14.5any
oraclebanking_corporate_lending_process_management14.2.0any
oraclebanking_corporate_lending_process_management14.3.0any
oraclebanking_corporate_lending_process_management14.5.0any
oraclebanking_credit_facilities_process_management14.2.0any
oraclebanking_credit_facilities_process_management14.3.0any
oraclebanking_credit_facilities_process_management14.5.0any
oraclebanking_supply_chain_finance14.2.0any
oraclebanking_trade_finance_process_management14.5.0any
oraclebusiness_activity_monitoring11.1.1.9.0any
oraclebusiness_activity_monitoring12.2.1.3.0any
oraclebusiness_activity_monitoring12.2.1.4.0any
oraclecommunications_brm_-_elastic_charging_engine11.3any
oraclecommunications_brm_-_elastic_charging_engine12.0any
oraclecommunications_unified_inventory_management7.3.4any
oraclecommunications_unified_inventory_management7.3.5any
oraclecommunications_unified_inventory_management7.4.0any
oraclecommunications_unified_inventory_management7.4.1any
oraclecommunications_unified_inventory_management7.4.2any
oracleenterprise_manager_ops_center12.4.0.0any
oracleretail_customer_insights15.0.2any
oracleretail_customer_insights16.0.2any
oracleretail_xstore_point_of_service16.0.6any
oracleretail_xstore_point_of_service17.0.4any
oracleretail_xstore_point_of_service18.0.3any
oracleretail_xstore_point_of_service19.0.2any
oracleretail_xstore_point_of_service20.0.1any
oraclewebcenter_portal12.2.1.3.0any
oraclewebcenter_portal12.2.1.4.0any
oraclewebcenter_sites12.2.1.3.0any
oraclewebcenter_sites12.2.1.4.0any

References 20

  • github.com https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
    PatchThird Party Advisory
  • github.com https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
  • github.com https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
    Third Party Advisory
  • lists.apache.org https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E
    Issue TrackingMailing List
  • lists.apache.org https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210708-0007
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210708-0007/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2021/dsa-5004
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    Mailing ListThird Party Advisory
  • x-stream.github.io https://x-stream.github.io/CVE-2021-29505.html

Remediation

  • github.com https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory