CVE-2021-39153
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.18 | 1.4.18 |
Affected products
9- ghsa-coords8 versionspkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 1.4.18+ 7 more
- (no CPE)range: < 1.4.18
- (no CPE)range: < 1.4.18-lp152.2.12.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
Patches
Vulnerability mechanics
References
17- www.oracle.com/security-alerts/cpuapr2022.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujan2022.htmlnvdPatchThird Party AdvisoryWEB
- x-stream.github.io/CVE-2021-39153.htmlnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-2q8x-2p7f-574vghsaADVISORY
- github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574vnvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-39153ghsaADVISORY
- security.netapp.com/advisory/ntap-20210923-0003/nvdThird Party Advisory
- www.debian.org/security/2021/dsa-5004nvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2022.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003ghsaWEB
News mentions
0No linked articles in our index yet.