V
Scaner-VS
ENRU
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
Back to catalog
CVE-2021-39139
DEB
High

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker…

CVSS
8.5
High
EPSS
0.05
p90
Published
2021-01-01
Updated
2021-01-01
Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Tags · CWE
File upload
CWE-434
CAPEC-1
Affected products
Business_activity_monitoringCommerce_guided_searchCommunications_billing_and_revenue_management_elastic_charging_engineCommunications_cloud_native_core_automated_test_suiteCommunications_cloud_native_core_binding_support_functionCommunications_cloud_native_core_policyCommunications_unified_inventory_managementRetail_xstore_point_of_serviceUtilities_frameworkUtilities_testing_acceleratorWebcenter_portal
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Timeline
2021-01-01
Published
2021-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: H
High (H)
Privileges Required
PR: L
Low (L)
User Interaction
UI: N
None (N)
Scope
S: C
Changed (C)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.046 · p90
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-1 · CWE-434
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
Debian
Debian LinuxLibxstream-java
Canonical
Libxstream-java
Red Hat
Xstream
Oracle
Retail Xstore Point Of ServiceCommunications Cloud Native Core PolicyWebcenter PortalCommunications Cloud Native Core Binding Support FunctionCommunications Unified Inventory ManagementCommerce Guided SearchCommunications Cloud Native Core Automated Test SuiteUtilities FrameworkCommunications Billing And Revenue Management Elastic Charging EngineBusiness Activity Monitoring+1
Fedoraproject
Fedora
Netapp
Snapmanager
Xstream
Xstream
ProductVendorStatus
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
xstreamTracked
business_activity_monitoring*Tracked
commerce_guided_search*Tracked
communications_billing_and_revenue_management_elastic_charging_engine*Tracked
communications_cloud_native_core_automated_test_suite*Tracked
communications_cloud_native_core_binding_support_function*Tracked
communications_cloud_native_core_policy*Tracked
communications_unified_inventory_management*Tracked
debian_linux*Tracked
fedora*Tracked
Showing first 20 of 26
Source databases
DEB
CVE
RED
UBU
Related vulnerabilities
BDU:2022-00708