Логотип exploitDog
bind:"GHSA-64xx-cq4q-mf44" OR bind:"CVE-2021-39139"
Консоль
Логотип exploitDog

exploitDog

bind:"GHSA-64xx-cq4q-mf44" OR bind:"CVE-2021-39139"

Количество 10

Количество 10

github логотип

GHSA-64xx-cq4q-mf44

около 4 лет назад

XStream is vulnerable to an Arbitrary Code Execution attack

CVSS3: 8.5
EPSS: Низкий
ubuntu логотип

CVE-2021-39139

около 4 лет назад

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS3: 8.5
EPSS: Низкий
redhat логотип

CVE-2021-39139

около 4 лет назад

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS3: 8.5
EPSS: Низкий
nvd логотип

CVE-2021-39139

около 4 лет назад

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS3: 8.5
EPSS: Низкий
debian логотип

CVE-2021-39139

около 4 лет назад

XStream is a simple library to serialize objects to XML and back again ...

CVSS3: 8.5
EPSS: Низкий
fstec логотип

BDU:2022-00708

около 4 лет назад

Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат XStream , связанная с недостатками механизма десериализации, позволяющая нарушителю выполнить произвольный код

CVSS3: 8.8
EPSS: Низкий
suse-cvrf логотип

openSUSE-SU-2021:3476-1

почти 4 года назад

Security update for xstream

EPSS: Низкий
suse-cvrf логотип

openSUSE-SU-2021:1401-1

почти 4 года назад

Security update for xstream

EPSS: Низкий
suse-cvrf логотип

SUSE-SU-2021:3476-1

почти 4 года назад

Security update for xstream

EPSS: Низкий
oracle-oval логотип

ELSA-2021-3956

почти 4 года назад

ELSA-2021-3956: xstream security update (IMPORTANT)

EPSS: Низкий

Уязвимостей на страницу

Уязвимость
CVSS
EPSS
Опубликовано
github логотип
GHSA-64xx-cq4q-mf44

XStream is vulnerable to an Arbitrary Code Execution attack

CVSS3: 8.5
1%
Низкий
около 4 лет назад
ubuntu логотип
CVE-2021-39139

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS3: 8.5
1%
Низкий
около 4 лет назад
redhat логотип
CVE-2021-39139

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS3: 8.5
1%
Низкий
около 4 лет назад
nvd логотип
CVE-2021-39139

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS3: 8.5
1%
Низкий
около 4 лет назад
debian логотип
CVE-2021-39139

XStream is a simple library to serialize objects to XML and back again ...

CVSS3: 8.5
1%
Низкий
около 4 лет назад
fstec логотип
BDU:2022-00708

Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат XStream , связанная с недостатками механизма десериализации, позволяющая нарушителю выполнить произвольный код

CVSS3: 8.8
1%
Низкий
около 4 лет назад
suse-cvrf логотип
openSUSE-SU-2021:3476-1

Security update for xstream

почти 4 года назад
suse-cvrf логотип
openSUSE-SU-2021:1401-1

Security update for xstream

почти 4 года назад
suse-cvrf логотип
SUSE-SU-2021:3476-1

Security update for xstream

почти 4 года назад
oracle-oval логотип
ELSA-2021-3956

ELSA-2021-3956: xstream security update (IMPORTANT)

почти 4 года назад

Уязвимостей на страницу