CVE-2021-21342
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.16 | 1.4.16 |
Affected products
10- osv-coords9 versionspkg:bitnami/activemqpkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 5.15.14+ 8 more
- (no CPE)range: < 5.15.14
- (no CPE)range: < 1.4.16
- (no CPE)range: < 1.4.16-lp152.2.6.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
Patches
Vulnerability mechanics
References
23- www.oracle.com/security-alerts/cpujan2022.htmlnvdNot ApplicablePatchVendor AdvisoryWEB
- x-stream.github.io/CVE-2021-21342.htmlnvdExploitThird Party AdvisoryWEB
- x-stream.github.io/changes.htmlnvdRelease NotesThird Party AdvisoryWEB
- github.com/advisories/GHSA-hvv8-336g-rx3mghsaADVISORY
- github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3mnvdThird Party AdvisoryWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EnvdIssue TrackingMailing ListThird Party Advisory
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EnvdIssue TrackingMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/nvdMailing ListThird Party Advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/nvdMailing ListThird Party Advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/nvdMailing ListThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2021-21342ghsaADVISORY
- security.netapp.com/advisory/ntap-20210430-0002/nvdThird Party Advisory
- www.debian.org/security/2021/dsa-5004nvdMailing ListThird Party AdvisoryWEB
- www.oracle.com//security-alerts/cpujul2021.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlnvdThird Party AdvisoryWEB
- x-stream.github.io/security.htmlnvdMitigationThird Party AdvisoryWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3EghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002ghsaWEB
News mentions
0No linked articles in our index yet.