Versio.io

CVE-2021-21344

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 23-03-2021 01:15
Last modified: - 16-02-2022 03:54
Total changes: - 12

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Low
Attack complexity
Network
Attack vector
High
Availability
High
Confidentiality
High
Integrity
None
Privileges required
Unchanged
Scope
None
User interaction
9.8
Base score
3.9
5.9
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=xstream_project AND product=xstream AND versionEndExcluding=1.4.16
OR
vendor=Debian AND product=debian_linux AND version=9.0
vendor=Debian AND product=debian_linux AND version=10.0
vendor=Debian AND product=debian_linux AND version=11.0
OR
vendor=fedoraproject AND product=fedora AND version=33
vendor=fedoraproject AND product=fedora AND version=34
vendor=fedoraproject AND product=fedora AND version=35
OR
vendor=oracle AND product=banking_enterprise_default_management AND version=2.10.0
vendor=oracle AND product=banking_enterprise_default_management AND version=2.12.0
vendor=oracle AND product=banking_platform AND version=2.4.0
vendor=oracle AND product=banking_platform AND version=2.7.1
vendor=oracle AND product=banking_platform AND version=2.9.0
vendor=oracle AND product=banking_platform AND version=2.12.0
vendor=oracle AND product=banking_virtual_account_management AND version=14.2.0
vendor=oracle AND product=banking_virtual_account_management AND version=14.3.0
vendor=oracle AND product=banking_virtual_account_management AND version=14.5.0
vendor=oracle AND product=business_activity_monitoring AND version=11.1.1.9.0
vendor=oracle AND product=business_activity_monitoring AND version=12.2.1.3.0
vendor=oracle AND product=business_activity_monitoring AND version=12.2.1.4.0
vendor=oracle AND product=communications_billing_and_revenue_management_elastic_charging_engine AND version=12.0.0.3.0
vendor=oracle AND product=communications_policy_management AND version=12.5.0
vendor=oracle AND product=communications_unified_inventory_management AND version=7.3.2
vendor=oracle AND product=communications_unified_inventory_management AND version=7.3.4
vendor=oracle AND product=communications_unified_inventory_management AND version=7.3.5
vendor=oracle AND product=communications_unified_inventory_management AND version=7.4.0
vendor=oracle AND product=communications_unified_inventory_management AND version=7.4.1
vendor=oracle AND product=mysql_server AND versionEndIncluding=5.7.36
vendor=oracle AND product=mysql_server AND versionEndIncluding=8.0.27 AND versionStartIncluding=8.0.0
vendor=oracle AND product=retail_xstore_point_of_service AND version=16.0.6
vendor=oracle AND product=retail_xstore_point_of_service AND version=17.0.4
vendor=oracle AND product=retail_xstore_point_of_service AND version=18.0.3
vendor=oracle AND product=retail_xstore_point_of_service AND version=19.0.2
vendor=oracle AND product=webcenter_portal AND version=11.1.1.9.0
vendor=oracle AND product=webcenter_portal AND version=12.2.1.3.0
vendor=oracle AND product=webcenter_portal AND version=12.2.1.4.0
 

Reference

 


Keywords

NVD

 

CVE-2021-21344

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.