[email protected]CVE-2021-29505

HistoryMay 28, 2021 - 9:15 p.m.

CVE-2021-29505

2021-05-2821:15:00

CWE-502

CWE-94

[email protected]

web.nvd.nist.gov

280

xstream

xml

java

serialization

remote code execution

cve-2021-29505

security vulnerability

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.048 Low

EPSS

Percentile

92.6%

JSON

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

VendorProductVersionCPE
xstream_projectxstream*cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xstream_project	xstream	*	cpe:2.3:a:xstream_project:xstream::::::::

References

github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f

github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc

lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E

lists.debian.org/debian-lts-announce/2021/07/msg00004.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

security.netapp.com/advisory/ntap-20210708-0007/

www.debian.org/security/2021/dsa-5004

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2022.html

www.oracle.com/security-alerts/cpuoct2021.html

Social References

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.048 Low

EPSS

Percentile

92.6%

JSON

Related for CVE-2021-29505

nessus16 ibm10 atlassian4 openvas9 github1 seebug1 nuclei1 redhat7 redhatcve1 oraclelinux1 githubexploit1 osv3 ubuntucve1 suse2 prion1 debian4 amazon1 veracode1 debiancve1 centos1 mageia1 fedora3 oracle4