High severity7.5NVD Advisory· Published May 28, 2021· Updated Jun 17, 2026
CVE-2021-29505
CVE-2021-29505
Description
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.17 | 1.4.17 |
Affected products
9- ghsa-coords8 versionspkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 1.4.17+ 7 more
- (no CPE)range: < 1.4.17
- (no CPE)range: < 1.4.17-lp152.2.9.1
- (no CPE)range: < 1.4.17-3.11.2
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 1.4.17-3.11.2
- (no CPE)range: < 1.4.17-3.11.2
- (no CPE)range: < 1.4.17-3.11.2
- (no CPE)range: < 1.4.17-3.11.2
Patches
Vulnerability mechanics
References
25- github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624fnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujan2022.htmlnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-7chv-rrw6-w6fcghsaADVISORY
- github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fcnvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2021/07/msg00004.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-29505ghsaADVISORY
- security.netapp.com/advisory/ntap-20210708-0007/nvdThird Party Advisory
- www.debian.org/security/2021/dsa-5004nvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2022.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlnvdMailing ListThird Party AdvisoryWEB
- github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227nvdWEB
- lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3EnvdIssue TrackingMailing ListWEB
- lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3EnvdWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPnvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7nvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBnvdWEB
- security.netapp.com/advisory/ntap-20210708-0007nvdWEB
- x-stream.github.io/CVE-2021-29505.htmlnvdWEB
News mentions
0No linked articles in our index yet.