Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2024-1689
Vulnerability from csaf_certbund
Published
2024-07-22 22:00
Modified
2024-07-22 22:00
Summary
Dell Data Protection Advisor: Mehrere Schwachstellen ermöglichen Codeausführung
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Data Protection Advisor ist eine Monitoring Lösung. Der Collector ist der lokale Agent.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Dell Data Protection Advisor ausnutzen, um beliebigen Programmcode auszuführen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Data Protection Advisor ist eine Monitoring Lösung. Der Collector ist der lokale Agent.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Dell Data Protection Advisor ausnutzen, um beliebigen Programmcode auszuführen.", title: "Angriff", }, { category: "general", text: "- Sonstiges\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-1689 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1689.json", }, { category: "self", summary: "WID-SEC-2024-1689 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1689", }, { category: "external", summary: "DELL Security Update for Data Protection Advisor vom 2024-07-22", url: "https://www.dell.com/support/kbdoc/de-de/000227136/dsa-2024-053-security-update-for-data-protection-advisor-multiple-third-party-component-vulnerabilities", }, ], source_lang: "en-US", title: "Dell Data Protection Advisor: Mehrere Schwachstellen ermöglichen Codeausführung", tracking: { current_release_date: "2024-07-22T22:00:00.000+00:00", generator: { date: "2024-08-15T18:11:39.526+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-1689", initial_release_date: "2024-07-22T22:00:00.000+00:00", revision_history: [ { date: "2024-07-22T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<19.11", product: { name: "Dell Data Protection Advisor <19.11", product_id: "T036392", }, }, ], category: "product_name", name: "Data Protection Advisor", }, ], category: "vendor", name: "Dell", }, ], }, vulnerabilities: [ { cve: "CVE-2013-7285", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2013-7285", }, { cve: "CVE-2019-10173", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2019-10173", }, { cve: "CVE-2021-21342", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-21342", }, { cve: "CVE-2021-21344", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-21344", }, { cve: "CVE-2021-21345", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-21345", }, { cve: "CVE-2021-21346", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-21346", }, { cve: "CVE-2021-21347", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-21347", }, { cve: "CVE-2021-21350", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-21350", }, { cve: "CVE-2021-21351", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler betreffen das Drittanbieter-Element XStream aufgrund einer unsachgemäßen Initialisierung des Sicherheits-Frameworks und einer unzureichenden Eingabevalidierung während des Unmarshalling-Prozesses, wodurch der Eingabestrom manipuliert werden kann. Ein entfernter, anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen. Einige der Schwachstellen erfordern erhöhte Berechtigungen, um erfolgreich ausgenutzt zu werden.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-21351", }, { cve: "CVE-2021-43113", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Dell Data Protection Advisor. Dieser Fehler betrifft die Drittanbieterkomponente iTextPDF aufgrund der unsachgemäßen Behandlung von Dateinamen in der Ghostscript-Befehlszeile, was eine Befehlsinjektion ermöglicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen.", }, ], release_date: "2024-07-22T22:00:00.000+00:00", title: "CVE-2021-43113", }, ], }
cve-2021-21344
Vulnerability from cvelistv5
Published
2021-03-22 23:40
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.795Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/CVE-2021-21344.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.16", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:41:16", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2021-21344.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-59jw-jqf4-3wq3", discovery: "UNKNOWN", }, title: "XStream is vulnerable to an Arbitrary Code Execution attack", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21344", STATE: "PUBLIC", TITLE: "XStream is vulnerable to an Arbitrary Code Execution attack", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "< 1.4.16", }, ], }, }, ], }, vendor_name: "x-stream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-434 Unrestricted Upload of File with Dangerous Type", }, ], }, { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://x-stream.github.io/security.html#workaround", refsource: "MISC", url: "https://x-stream.github.io/security.html#workaround", }, { name: "http://x-stream.github.io/changes.html#1.4.16", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.16", }, { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3", refsource: "CONFIRM", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3", }, { name: "https://x-stream.github.io/CVE-2021-21344.html", refsource: "MISC", url: "https://x-stream.github.io/CVE-2021-21344.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210430-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-5004", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-59jw-jqf4-3wq3", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21344", datePublished: "2021-03-22T23:40:29", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.795Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21346
Vulnerability from cvelistv5
Published
2021-03-22 23:40
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.764Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/CVE-2021-21346.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.16", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:41:18", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2021-21346.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-4hrm-m67v-5cxr", discovery: "UNKNOWN", }, title: "XStream is vulnerable to an Arbitrary Code Execution attack", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21346", STATE: "PUBLIC", TITLE: "XStream is vulnerable to an Arbitrary Code Execution attack", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "< 1.4.16", }, ], }, }, ], }, vendor_name: "x-stream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-434 Unrestricted Upload of File with Dangerous Type", }, ], }, { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://x-stream.github.io/security.html#workaround", refsource: "MISC", url: "https://x-stream.github.io/security.html#workaround", }, { name: "http://x-stream.github.io/changes.html#1.4.16", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.16", }, { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr", refsource: "CONFIRM", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr", }, { name: "https://x-stream.github.io/CVE-2021-21346.html", refsource: "MISC", url: "https://x-stream.github.io/CVE-2021-21346.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210430-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-5004", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-4hrm-m67v-5cxr", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21346", datePublished: "2021-03-22T23:40:20", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.764Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21342
Vulnerability from cvelistv5
Published
2021-03-22 23:40
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.862Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/CVE-2021-21342.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.16", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-918", description: "CWE-918 Server-Side Request Forgery (SSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:41:14", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2021-21342.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-hvv8-336g-rx3m", discovery: "UNKNOWN", }, title: "A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21342", STATE: "PUBLIC", TITLE: "A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "< 1.4.16", }, ], }, }, ], }, vendor_name: "x-stream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, { description: [ { lang: "eng", value: "CWE-918 Server-Side Request Forgery (SSRF)", }, ], }, ], }, references: { reference_data: [ { name: "https://x-stream.github.io/security.html#workaround", refsource: "MISC", url: "https://x-stream.github.io/security.html#workaround", }, { name: "http://x-stream.github.io/changes.html#1.4.16", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.16", }, { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m", refsource: "CONFIRM", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m", }, { name: "https://x-stream.github.io/CVE-2021-21342.html", refsource: "MISC", url: "https://x-stream.github.io/CVE-2021-21342.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210430-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-5004", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-hvv8-336g-rx3m", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21342", datePublished: "2021-03-22T23:40:39", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.862Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21345
Vulnerability from cvelistv5
Published
2021-03-22 23:40
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.855Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/CVE-2021-21345.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.16", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94 Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:41:17", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2021-21345.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-hwpc-8xqv-jvj4", discovery: "UNKNOWN", }, title: "XStream is vulnerable to a Remote Command Execution attack", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21345", STATE: "PUBLIC", TITLE: "XStream is vulnerable to a Remote Command Execution attack", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "< 1.4.16", }, ], }, }, ], }, vendor_name: "x-stream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-94 Improper Control of Generation of Code ('Code Injection')", }, ], }, { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://x-stream.github.io/security.html#workaround", refsource: "MISC", url: "https://x-stream.github.io/security.html#workaround", }, { name: "http://x-stream.github.io/changes.html#1.4.16", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.16", }, { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4", refsource: "CONFIRM", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4", }, { name: "https://x-stream.github.io/CVE-2021-21345.html", refsource: "MISC", url: "https://x-stream.github.io/CVE-2021-21345.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "https://security.netapp.com/advisory/ntap-20210430-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-5004", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-hwpc-8xqv-jvj4", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21345", datePublished: "2021-03-22T23:40:25", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.855Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21347
Vulnerability from cvelistv5
Published
2021-03-22 23:40
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.686Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/CVE-2021-21347.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.16", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:41:19", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2021-21347.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-qpfq-ph7r-qv6f", discovery: "UNKNOWN", }, title: "XStream is vulnerable to an Arbitrary Code Execution attack", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21347", STATE: "PUBLIC", TITLE: "XStream is vulnerable to an Arbitrary Code Execution attack", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "< 1.4.16", }, ], }, }, ], }, vendor_name: "x-stream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-434 Unrestricted Upload of File with Dangerous Type", }, ], }, { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f", refsource: "CONFIRM", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f", }, { name: "https://x-stream.github.io/security.html#workaround", refsource: "MISC", url: "https://x-stream.github.io/security.html#workaround", }, { name: "http://x-stream.github.io/changes.html#1.4.16", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.16", }, { name: "https://x-stream.github.io/CVE-2021-21347.html", refsource: "MISC", url: "https://x-stream.github.io/CVE-2021-21347.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210430-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-5004", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-qpfq-ph7r-qv6f", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21347", datePublished: "2021-03-22T23:40:13", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.686Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-43113
Vulnerability from cvelistv5
Published
2021-12-15 00:00
Modified
2024-08-04 03:47
Severity ?
EPSS score ?
Summary
iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:47:13.596Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/itext/itext7/releases/tag/7.1.17", }, { tags: [ "x_transferred", ], url: "https://pastebin.com/BXnkY9YY", }, { name: "[debian-lts-announce] 20230118 [SECURITY] [DLA 3273-1] libitext5-java security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00013.html", }, { name: "DSA-5323", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5323", }, { tags: [ "x_transferred", ], url: "https://github.com/itext/itextpdf/releases/tag/5.5.13.3", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-24T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/itext/itext7/releases/tag/7.1.17", }, { url: "https://pastebin.com/BXnkY9YY", }, { name: "[debian-lts-announce] 20230118 [SECURITY] [DLA 3273-1] libitext5-java security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00013.html", }, { name: "DSA-5323", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2023/dsa-5323", }, { url: "https://github.com/itext/itextpdf/releases/tag/5.5.13.3", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-43113", datePublished: "2021-12-15T00:00:00", dateReserved: "2021-11-01T00:00:00", dateUpdated: "2024-08-04T03:47:13.596Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-7285
Vulnerability from cvelistv5
Published
2019-05-15 16:54
Modified
2024-08-06 18:01
Severity ?
EPSS score ?
Summary
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/oss-sec/2014/q1/69 | mailing-list, x_refsource_MLIST | |
| https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html | mailing-list, x_refsource_MLIST | |
| https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html | x_refsource_MISC | |
| https://x-stream.github.io/CVE-2013-7285.html | x_refsource_CONFIRM | |
| https://www.oracle.com/security-alerts/cpuoct2020.html | x_refsource_MISC | |
| http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T18:01:20.408Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://seclists.org/oss-sec/2014/q1/69", }, { name: "[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html", }, { name: "[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://x-stream.github.io/CVE-2013-7285.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-07-17T00:00:00", descriptions: [ { lang: "en", value: "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-25T12:46:54", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://seclists.org/oss-sec/2014/q1/69", }, { name: "[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html", }, { name: "[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://x-stream.github.io/CVE-2013-7285.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", ], url: "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2013-7285", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream", refsource: "MLIST", url: "http://seclists.org/oss-sec/2014/q1/69", }, { name: "[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", refsource: "MLIST", url: "https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html", }, { name: "[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", refsource: "MLIST", url: "https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", refsource: "MLIST", url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E", }, { name: "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", refsource: "MISC", url: "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", }, { name: "https://x-stream.github.io/CVE-2013-7285.html", refsource: "CONFIRM", url: "https://x-stream.github.io/CVE-2013-7285.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", refsource: "MISC", url: "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2013-7285", datePublished: "2019-05-15T16:54:57", dateReserved: "2014-01-09T00:00:00", dateUpdated: "2024-08-06T18:01:20.408Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-10173
Vulnerability from cvelistv5
Published
2019-07-23 12:50
Modified
2024-08-04 22:10
Severity ?
EPSS score ?
Summary
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:3892 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:4352 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0445 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0727 | vendor-advisory, x_refsource_REDHAT | |
| https://www.oracle.com/security-alerts/cpuapr2020.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuoct2020.html | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173 | x_refsource_CONFIRM | |
| http://x-stream.github.io/changes.html#1.4.11 | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujan2021.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC | |
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T22:10:10.018Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0445", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.11", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "xstream", versions: [ { status: "affected", version: "fixed in 1.4.11", }, ], }, ], descriptions: [ { lang: "en", value: "It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-20T22:53:25", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0445", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.11", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2019-10173", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "fixed in 1.4.11", }, ], }, }, ], }, vendor_name: "xstream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)", }, ], }, impact: { cvss: [ [ { vectorString: "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-94", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0445", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "RHSA-2020:0727", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", }, { name: "http://x-stream.github.io/changes.html#1.4.11", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.11", }, { name: "https://www.oracle.com/security-alerts/cpujan2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2019-10173", datePublished: "2019-07-23T12:50:44", dateReserved: "2019-03-27T00:00:00", dateUpdated: "2024-08-04T22:10:10.018Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21351
Vulnerability from cvelistv5
Published
2021-03-22 23:45
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.774Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/CVE-2021-21351.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.16", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:41:23", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2021-21351.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-hrcp-8f3q-4w2c", discovery: "UNKNOWN", }, title: "XStream is vulnerable to an Arbitrary Code Execution attack", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21351", STATE: "PUBLIC", TITLE: "XStream is vulnerable to an Arbitrary Code Execution attack", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "< 1.4.16", }, ], }, }, ], }, vendor_name: "x-stream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-434 Unrestricted Upload of File with Dangerous Type", }, ], }, { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://x-stream.github.io/security.html#workaround", refsource: "MISC", url: "https://x-stream.github.io/security.html#workaround", }, { name: "http://x-stream.github.io/changes.html#1.4.16", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.16", }, { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c", refsource: "CONFIRM", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c", }, { name: "https://x-stream.github.io/CVE-2021-21351.html", refsource: "MISC", url: "https://x-stream.github.io/CVE-2021-21351.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210430-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-5004", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-hrcp-8f3q-4w2c", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21351", datePublished: "2021-03-22T23:45:15", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.774Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21350
Vulnerability from cvelistv5
Published
2021-03-22 23:45
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.914Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://x-stream.github.io/CVE-2021-21350.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.16", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:41:22", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/security.html#workaround", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq", }, { tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2021-21350.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-5004", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-43gc-mjxg-gvrq", discovery: "UNKNOWN", }, title: "XStream is vulnerable to an Arbitrary Code Execution attack", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21350", STATE: "PUBLIC", TITLE: "XStream is vulnerable to an Arbitrary Code Execution attack", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "< 1.4.16", }, ], }, }, ], }, vendor_name: "x-stream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-434 Unrestricted Upload of File with Dangerous Type", }, ], }, { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://x-stream.github.io/security.html#workaround", refsource: "MISC", url: "https://x-stream.github.io/security.html#workaround", }, { name: "http://x-stream.github.io/changes.html#1.4.16", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.16", }, { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq", refsource: "CONFIRM", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq", }, { name: "https://x-stream.github.io/CVE-2021-21350.html", refsource: "MISC", url: "https://x-stream.github.io/CVE-2021-21350.html", }, { name: "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html", }, { name: "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210430-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210430-0002/", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "FEDORA-2021-fbad11014a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/", }, { name: "FEDORA-2021-d894ca87dc", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "FEDORA-2021-5e376c0ed9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/", }, { name: "DSA-5004", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-5004", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-43gc-mjxg-gvrq", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21350", datePublished: "2021-03-22T23:45:20", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.914Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.