8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.035 Low
EPSS
Percentile
91.4%
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load
and execute arbitrary code from a remote host only by manipulating the
processed input stream. A user is only affected if using the version out of
the box with JDK 1.7u21 or below. However, this scenario can be adjusted
easily to an external Xalan that works regardless of the version of the
Java runtime. No user is affected, who followed the recommendation to setup
XStream’s security framework with a whitelist limited to the minimal
required types. XStream 1.4.18 uses no longer a blacklist by default, since
it cannot be secured for general purpose.
Author | Note |
---|---|
sahnaseredini | for trusty and xenial , the code is not present and the available pocs cannot be exploited |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libxstream-java | < 1.4.11.1-1+deb10u4build0.18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | libxstream-java | < 1.4.11.1-1ubuntu0.3 | UNKNOWN |
github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
launchpad.net/bugs/cve/CVE-2021-39139
nvd.nist.gov/vuln/detail/CVE-2021-39139
security-tracker.debian.org/tracker/CVE-2021-39139
ubuntu.com/security/notices/USN-5946-1
www.cve.org/CVERecord?id=CVE-2021-39139
x-stream.github.io/CVE-2021-39139.html
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.035 Low
EPSS
Percentile
91.4%