CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
86.9%
XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker to request data from internal resources that are not
publicly available only by manipulating the processed input stream. No user
is affected, who followed the recommendation to setup XStream’s security
framework with a whitelist limited to the minimal required types. If you
rely on XStream’s default blacklist of the Security Framework, you will
have to use at least version 1.4.16.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libxstream-java | < 1.4.11.1-1~18.04.2 | UNKNOWN |
ubuntu | 20.04 | noarch | libxstream-java | < 1.4.11.1-1ubuntu0.2 | UNKNOWN |
ubuntu | 20.10 | noarch | libxstream-java | < 1.4.11.1-2ubuntu0.1 | UNKNOWN |
ubuntu | 21.04 | noarch | libxstream-java | < 1.4.15-1ubuntu0.1 | UNKNOWN |
ubuntu | 21.10 | noarch | libxstream-java | < 1.4.15-2 | UNKNOWN |
ubuntu | 22.04 | noarch | libxstream-java | < 1.4.15-2 | UNKNOWN |
ubuntu | 22.10 | noarch | libxstream-java | < 1.4.15-2 | UNKNOWN |
ubuntu | 23.04 | noarch | libxstream-java | < 1.4.15-2 | UNKNOWN |
ubuntu | 23.10 | noarch | libxstream-java | < 1.4.15-2 | UNKNOWN |
ubuntu | 24.04 | noarch | libxstream-java | < 1.4.15-2 | UNKNOWN |
x-stream.github.io/changes.html#1.4.16
github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv
launchpad.net/bugs/cve/CVE-2021-21349
nvd.nist.gov/vuln/detail/CVE-2021-21349
security-tracker.debian.org/tracker/CVE-2021-21349
ubuntu.com/security/notices/USN-4943-1
www.cve.org/CVERecord?id=CVE-2021-21349
x-stream.github.io/CVE-2021-21349.html
x-stream.github.io/security.html#workaround
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
86.9%