V
Scaner-VS
ENRU
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
Back to catalog
CVE-2021-39153
DEB
High

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker…

CVSS
8.5
High
EPSS
0.04
p90
Published
2021-01-01
Updated
2021-01-01
Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Tags · CWE
File upload
CWE-434
CAPEC-1
Affected products
Business_activity_monitoringCommunications_billing_and_revenue_management_elastic_charging_engineCommunications_cloud_native_core_automated_test_suiteCommunications_cloud_native_core_binding_support_functionCommunications_cloud_native_core_policyCommunications_unified_inventory_managementUtilities_frameworkUtilities_testing_acceleratorWebcenter_portal
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Timeline
2021-01-01
Published
2021-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: H
High (H)
Privileges Required
PR: L
Low (L)
User Interaction
UI: N
None (N)
Scope
S: C
Changed (C)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.045 · p90
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-1 · CWE-434
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
Debian
Debian LinuxLibxstream-java
Canonical
Libxstream-java
Red Hat
Xstream
Oracle
Communications Cloud Native Core PolicyWebcenter PortalCommunications Cloud Native Core Binding Support FunctionCommunications Unified Inventory ManagementCommunications Cloud Native Core Automated Test SuiteUtilities FrameworkCommunications Billing And Revenue Management Elastic Charging EngineBusiness Activity MonitoringUtilities Testing Accelerator
Fedoraproject
Fedora
Netapp
Snapmanager
Xstream
Xstream
ProductVendorStatus
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
libxstream-javaTracked
xstreamTracked
business_activity_monitoring*Tracked
communications_billing_and_revenue_management_elastic_charging_engine*Tracked
communications_cloud_native_core_automated_test_suite*Tracked
communications_cloud_native_core_binding_support_function*Tracked
communications_cloud_native_core_policy*Tracked
communications_unified_inventory_management*Tracked
debian_linux*Tracked
fedora*Tracked
snapmanager*Tracked
Showing first 20 of 24
Source databases
DEB
CVE
RED
UBU