Versio.io

CVE-2021-21343

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 23-03-2021 01:15
Last modified: - 16-02-2022 03:50
Total changes: - 12

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Low
Attack complexity
Network
Attack vector
None
Availability
None
Confidentiality
High
Integrity
None
Privileges required
Unchanged
Scope
None
User interaction
7.5
Base score
3.9
3.6
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=xstream_project AND product=xstream AND versionEndExcluding=1.4.16
OR
vendor=Debian AND product=debian_linux AND version=9.0
vendor=Debian AND product=debian_linux AND version=10.0
vendor=Debian AND product=debian_linux AND version=11.0
OR
vendor=fedoraproject AND product=fedora AND version=33
vendor=fedoraproject AND product=fedora AND version=34
vendor=fedoraproject AND product=fedora AND version=35
OR
vendor=oracle AND product=banking_enterprise_default_management AND version=2.10.0
vendor=oracle AND product=banking_enterprise_default_management AND version=2.12.0
vendor=oracle AND product=banking_platform AND version=2.4.0
vendor=oracle AND product=banking_platform AND version=2.7.1
vendor=oracle AND product=banking_platform AND version=2.9.0
vendor=oracle AND product=banking_platform AND version=2.12.0
vendor=oracle AND product=banking_virtual_account_management AND version=14.2.0
vendor=oracle AND product=banking_virtual_account_management AND version=14.3.0
vendor=oracle AND product=banking_virtual_account_management AND version=14.5.0
vendor=oracle AND product=business_activity_monitoring AND version=11.1.1.9.0
vendor=oracle AND product=business_activity_monitoring AND version=12.2.1.3.0
vendor=oracle AND product=business_activity_monitoring AND version=12.2.1.4.0
vendor=oracle AND product=communications_billing_and_revenue_management_elastic_charging_engine AND version=12.0.0.3.0
vendor=oracle AND product=communications_policy_management AND version=12.5.0
vendor=oracle AND product=communications_unified_inventory_management AND version=7.3.2
vendor=oracle AND product=communications_unified_inventory_management AND version=7.3.4
vendor=oracle AND product=communications_unified_inventory_management AND version=7.3.5
vendor=oracle AND product=communications_unified_inventory_management AND version=7.4.0
vendor=oracle AND product=communications_unified_inventory_management AND version=7.4.1
vendor=oracle AND product=retail_xstore_point_of_service AND version=16.0.6
vendor=oracle AND product=retail_xstore_point_of_service AND version=17.0.4
vendor=oracle AND product=retail_xstore_point_of_service AND version=18.0.3
vendor=oracle AND product=retail_xstore_point_of_service AND version=19.0.2
vendor=oracle AND product=webcenter_portal AND version=11.1.1.9.0
vendor=oracle AND product=webcenter_portal AND version=12.2.1.3.0
vendor=oracle AND product=webcenter_portal AND version=12.2.1.4.0
 

Reference

 


Keywords

NVD

 

CVE-2021-21343

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.