CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2021-39144

Known Exploited (CISA KEV)HIGH
8.5
CVSS Severity Score
EPSS Score93.5370%
EPSS Percentile85.29th
Published2021年8月23日
Last Modified2025年10月24日

Vulnerability Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Affected Platforms (CPE)

📦
Xstream

Xstream

< 1.4.18
💻
Debian

Debian Linux

= 9.0
💻
Debian

Debian Linux

= 10.0
💻
Debian

Debian Linux

= 11.0
💻
Fedoraproject

Fedora

= 33
💻
Fedoraproject

Fedora

= 34
💻
Fedoraproject

Fedora

= 35
📦
Netapp

Snapmanager

All versions
📦
Netapp

Snapmanager

All versions
📦
Oracle

Business Activity Monitoring

= 12.2.1.4.0
📦
Oracle

Commerce Guided Search

= 11.3.2
📦
Oracle

Communications Billing And Revenue Management Elastic Charging Engine

= 11.3
📦
Oracle

Communications Billing And Revenue Management Elastic Charging Engine

= 12.0
📦
Oracle

Communications Cloud Native Core Automated Test Suite

= 1.9.0
📦
Oracle

Communications Cloud Native Core Binding Support Function

= 1.10.0
📦
Oracle

Communications Cloud Native Core Policy

= 1.14.0
📦
Oracle

Communications Unified Inventory Management

= 7.3.4
📦
Oracle

Communications Unified Inventory Management

= 7.3.5
📦
Oracle

Communications Unified Inventory Management

= 7.4.0
📦
Oracle

Communications Unified Inventory Management

= 7.4.1
📦
Oracle

Communications Unified Inventory Management

= 7.4.2
📦
Oracle

Retail Xstore Point Of Service

= 16.0.6
📦
Oracle

Retail Xstore Point Of Service

= 17.0.4
📦
Oracle

Retail Xstore Point Of Service

= 18.0.3
📦
Oracle

Retail Xstore Point Of Service

= 19.0.2
📦
Oracle

Retail Xstore Point Of Service

= 20.0.1
📦
Oracle

Utilities Framework

= 4.2.0.2.0
📦
Oracle

Utilities Framework

= 4.2.0.3.0
📦
Oracle

Utilities Framework

= 4.3.0.1.0
📦
Oracle

Utilities Framework

= 4.3.0.6.0
📦
Oracle

Utilities Framework

= 4.4.0.0.0
📦
Oracle

Utilities Framework

= 4.4.0.2.0
📦
Oracle

Utilities Framework

= 4.4.0.3.0
📦
Oracle

Utilities Testing Accelerator

= 6.0.0.1.1
📦
Oracle

Webcenter Portal

= 12.2.1.3.0
📦
Oracle

Webcenter Portal

= 12.2.1.4.0

References & Advisories

🔗 http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
🔗 https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
🔗 https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
🔗 https://security.netapp.com/advisory/ntap-20210923-0003/
🔗 https://www.debian.org/security/2021/dsa-5004

相關漏洞威脅

CVE-2013-72859.8

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attack...

CVE-2018-172009.8

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtool...

CVE-2019-101739.8

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the sec...

CVE-2014-22289.8

The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserializatio...