CVE-2021-43859

🗓️ 01 Feb 2022 12:08:57Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 6 Media mentions👁 259 Views

XStream 1.4.19 fixes remote code execution vulnerabilit

Reporter	Title	Published	Views	Family All 94
FreeBSD	jenkins -- DoS vulnerability in bundled XStream library	9 Feb 202200:00	–	freebsd
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream	30 Mar 202215:22	–	ibm
IBM Security Bulletins	Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar	8 May 202308:40	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Samba, OpenSSL, Python, and XStream affect IBM Spectrum Protect Plus (CVE-2021-20254, CVE-2021-3712, CVE-2021-43859, CVE-2022-0778, CVE-2020-25717, CVE-2021-23192, CVE-2021-3733)	30 Jun 202203:51	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream	27 Apr 202223:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Engineering Test Management is vulnerable to denial of service due to XStream (CVE-2021-43859)	2 May 202307:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE	26 May 202207:31	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)	11 Apr 202215:17	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Golang Go, OpenSSL, Python, and XStream affect IBM Spectrum Copy Data Management	9 Jun 202217:55	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream	22 Nov 202216:29	–	ibm

NVD

Vulners

Node

jenkins jenkinsRange<2.319.3

jenkins jenkinsRange2.321–2.334

Node

xstream xstreamRange<1.4.19

Node

fedoraproject fedoraMatch34

fedoraproject fedoraMatch35

Node

debian debian_linuxMatch9.0

Node

oracle commerce_guided_searchMatch11.3.2

oracle communications_brm_-_elastic_charging_engineRange<12.0.0.4.6

oracle communications_brm_-_elastic_charging_engineMatch12.0.0.5.0

oracle communications_cloud_native_core_automated_test_suiteMatch1.9.0

oracle communications_diameter_intelligence_hubRange8.0.0–8.1.0

oracle communications_diameter_intelligence_hubRange8.2.0–8.2.6

oracle communications_policy_managementMatch12.6.0.0.0

oracle flexcube_private_bankingMatch12.1.0

oracle retail_xstore_point_of_serviceMatch16.0.6

oracle retail_xstore_point_of_serviceMatch17.0.4

oracle retail_xstore_point_of_serviceMatch18.0.3

oracle retail_xstore_point_of_serviceMatch19.0.2

oracle retail_xstore_point_of_serviceMatch20.0.1

[
  {
    "product": "xstream",
    "vendor": "x-stream",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.4.19"
      }
    ]
  }
]

Source	Link
github	www.github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
x-stream	www.x-stream.github.io/CVE-2021-43859.html
openwall	www.openwall.com/lists/oss-security/2022/02/09/1
lists	www.lists.debian.org/debian-lts-announce/2022/02/msg00018.html
github	www.github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/
oracle	www.oracle.com/security-alerts/cpujul2022.html
oracle	www.oracle.com/security-alerts/cpuapr2022.html
lists	www.lists.debian.org/debian-lts-announce/2024/12/msg00023.html

03 Nov 2025 22:15Current

7.5High risk

Vulners AI Score7.5

CVSS 25

CVSS 3.17.5

EPSS0.01863

SSVC

CWE-400