CVE-2021-39154
HIGH
Published Aug 23, 20214y ago · Modified Jun 17, 20262w ago
8.5 CVSS 3.1
Published Aug 23, 2021 4y ago
Last Modified Jun 17, 2026 2w ago
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 36
| Vendor | Product | Version | Range |
|---|---|---|---|
| xstream | xstream | * | <1.4.18 |
| fedoraproject | fedora | 33 | any |
| fedoraproject | fedora | 34 | any |
| fedoraproject | fedora | 35 | any |
| debian | debian_linux | 9.0 | any |
| debian | debian_linux | 10.0 | any |
| debian | debian_linux | 11.0 | any |
| netapp | snapmanager | * | any |
| netapp | snapmanager | * | any |
| oracle | business_activity_monitoring | 12.2.1.4.0 | any |
| oracle | commerce_guided_search | 11.3.2 | any |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 11.3 | any |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 12.0 | any |
| oracle | communications_cloud_native_core_automated_test_suite | 1.9.0 | any |
| oracle | communications_cloud_native_core_binding_support_function | 1.10.0 | any |
| oracle | communications_cloud_native_core_policy | 1.14.0 | any |
| oracle | communications_unified_inventory_management | 7.3.4 | any |
| oracle | communications_unified_inventory_management | 7.3.5 | any |
| oracle | communications_unified_inventory_management | 7.4.0 | any |
| oracle | communications_unified_inventory_management | 7.4.1 | any |
| oracle | communications_unified_inventory_management | 7.4.2 | any |
| oracle | retail_xstore_point_of_service | 16.0.6 | any |
| oracle | retail_xstore_point_of_service | 17.0.4 | any |
| oracle | retail_xstore_point_of_service | 18.0.3 | any |
| oracle | retail_xstore_point_of_service | 19.0.2 | any |
| oracle | retail_xstore_point_of_service | 20.0.1 | any |
| oracle | utilities_framework | 4.2.0.2.0 | any |
| oracle | utilities_framework | 4.2.0.3.0 | any |
| oracle | utilities_framework | 4.3.0.1.0 | any |
| oracle | utilities_framework | 4.3.0.6.0 | any |
| oracle | utilities_framework | 4.4.0.0.0 | any |
| oracle | utilities_framework | 4.4.0.2.0 | any |
| oracle | utilities_framework | 4.4.0.3.0 | any |
| oracle | utilities_testing_accelerator | 6.0.0.1.1 | any |
| oracle | webcenter_portal | 12.2.1.3.0 | any |
| oracle | webcenter_portal | 12.2.1.4.0 | any |
References 11
- github.com https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68
- lists.debian.org https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- security.netapp.com https://security.netapp.com/advisory/ntap-20210923-0003/
- debian.org https://www.debian.org/security/2021/dsa-5004
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
- x-stream.github.io https://x-stream.github.io/CVE-2021-39154.html
Remediation
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2022.html