Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-21350

Опубликовано: 23 мар. 2021
Источник: nvd
CVSS3: 5.3
CVSS3: 9.8
CVSS2: 7.5
EPSS Низкий

Описание

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
Версия до 5.15.14 (исключая)
cpe:2.3:a:apache:activemq:5.16.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.16.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:jmeter:*:*:*:*:*:*:*:*
Версия до 5.5 (исключая)
Конфигурация 3
cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
Версия до 1.4.16 (исключая)
Конфигурация 4

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Конфигурация 5

Одно из

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Конфигурация 6

Одно из

cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 92%
0.08244
Низкий

5.3 Medium

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-434
NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2021-21350

CVSS3: 5.3
ubuntu
больше 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

redhat логотип

CVE-2021-21350

CVSS3: 8.1
redhat
больше 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

debian логотип

CVE-2021-21350

CVSS3: 5.3
debian
больше 4 лет назад

XStream is a Java library to serialize objects to XML and back again. ...

github логотип

GHSA-43gc-mjxg-gvrq

CVSS3: 5.3
github
больше 4 лет назад

XStream is vulnerable to an Arbitrary Code Execution attack

fstec логотип

BDU:2021-05506

CVSS3: 9.8
fstec
больше 4 лет назад

Уязвимость Java-библиотеки Xstream для преобразования объектов в форматы XML или JSON, связанная с неограниченной загрузкой файлов опасного типа, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 92%
0.08244
Низкий

5.3 Medium

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-434
NVD-CWE-noinfo