Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-21351

Опубликовано: 12 мар. 2021
Источник: redhat
CVSS3: 8
EPSS Критический

Описание

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Отчет

OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw. [1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc [2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6xstreamOut of support scope
Red Hat CodeReady Studio 12xstreamAffected
Red Hat Enterprise Linux 7xstreamOut of support scope
Red Hat JBoss A-MQ 6xstreamOut of support scope
Red Hat JBoss BRMS 5xstreamOut of support scope
Red Hat JBoss BRMS 6xstreamOut of support scope
Red Hat JBoss Data Grid 7xstreamOut of support scope
Red Hat JBoss Data Virtualization 6xstreamOut of support scope
Red Hat JBoss Fuse 6xstreamOut of support scope
Red Hat JBoss Fuse Service Works 6xstreamOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502->CWE-434
https://bugzilla.redhat.com/show_bug.cgi?id=1942642XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream

EPSS

Процентиль: 100%
0.91097
Критический

8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-21351

CVSS3: 5.4
ubuntu
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

nvd логотип

CVE-2021-21351

CVSS3: 5.4
nvd
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

debian логотип

CVE-2021-21351

CVSS3: 5.4
debian
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. ...

github логотип

GHSA-hrcp-8f3q-4w2c

CVSS3: 5.4
github
около 4 лет назад

XStream is vulnerable to an Arbitrary Code Execution attack

fstec логотип

BDU:2021-05940

CVSS3: 9.1
fstec
больше 4 лет назад

Уязвимость Java-библиотеки Xstream для преобразования объектов в форматы XML или JSON, связанная с неограниченной загрузкой файлов опасного типа, позволяющая нарушителю загружать и выполнять произвольный код с удаленного хоста

EPSS

Процентиль: 100%
0.91097
Критический

8 High

CVSS3