Medium severity6.1NVD Advisory· Published Mar 23, 2021· Updated Jun 17, 2026
CVE-2021-21349
CVE-2021-21349
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.16 | 1.4.16 |
Affected products
10- osv-coords9 versionspkg:bitnami/activemqpkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 5.15.14+ 8 more
- (no CPE)range: < 5.15.14
- (no CPE)range: < 1.4.16
- (no CPE)range: < 1.4.16-lp152.2.6.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
Patches
Vulnerability mechanics
References
23- www.oracle.com/security-alerts/cpujan2022.htmlnvdPatchVendor AdvisoryWEB
- x-stream.github.io/CVE-2021-21349.htmlnvdExploitThird Party AdvisoryWEB
- x-stream.github.io/changes.htmlnvdRelease NotesThird Party AdvisoryWEB
- github.com/advisories/GHSA-f6hm-88x3-mfjvghsaADVISORY
- github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjvnvdThird Party AdvisoryWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EnvdIssue TrackingMailing ListThird Party Advisory
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EnvdIssue TrackingMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/nvdMailing ListThird Party Advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/nvdMailing ListThird Party Advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/nvdMailing ListThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2021-21349ghsaADVISORY
- security.netapp.com/advisory/ntap-20210430-0002/nvdThird Party Advisory
- www.debian.org/security/2021/dsa-5004nvdMailing ListThird Party AdvisoryWEB
- www.oracle.com//security-alerts/cpujul2021.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlnvdThird Party AdvisoryWEB
- x-stream.github.io/security.htmlnvdMitigationThird Party AdvisoryWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3EghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002ghsaWEB
News mentions
0No linked articles in our index yet.