Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-21348

Опубликовано: 12 мар. 2021
Источник: redhat
CVSS3: 5.9
EPSS Низкий

Описание

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Отчет

OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw. [1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc [2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6xstreamOut of support scope
Red Hat CodeReady Studio 12xstreamAffected
Red Hat Enterprise Linux 7xstreamOut of support scope
Red Hat JBoss A-MQ 6xstreamOut of support scope
Red Hat JBoss BRMS 5xstreamOut of support scope
Red Hat JBoss BRMS 6xstreamOut of support scope
Red Hat JBoss Data Grid 7xstreamOut of support scope
Red Hat JBoss Data Virtualization 6xstreamOut of support scope
Red Hat JBoss Fuse 6xstreamOut of support scope
Red Hat JBoss Fuse Service Works 6xstreamOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502->CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1942633XStream: ReDoS vulnerability

EPSS

Процентиль: 46%
0.00232
Низкий

5.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-21348

CVSS3: 5.3
ubuntu
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

nvd логотип

CVE-2021-21348

CVSS3: 5.3
nvd
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

debian логотип

CVE-2021-21348

CVSS3: 5.3
debian
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. ...

github логотип

GHSA-56p8-3fh9-4cvq

CVSS3: 5.3
github
около 4 лет назад

XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)

fstec логотип

BDU:2021-05485

CVSS3: 7.5
fstec
больше 4 лет назад

Уязвимость Java-библиотеки Xstream для преобразования объектов в форматы XML или JSON, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 46%
0.00232
Низкий

5.9 Medium

CVSS3