Skip to main content

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 23, 2021 - 18:15 nvd
HIGH 8.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,776 maven packages depend on com.thoughtworks.xstream:xstream (204 direct, 1,575 indirect)

Ecosystem-wide dependent count for version 1.4.18.

DescriptionNVD

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

AnalysisAI

XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Affected products include: Xstream, Fedoraproject Fedora, Debian Debian Linux, Netapp Snapmanager, Oracle Business Activity Monitoring.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2021-39144 HIGH POC
8.5 Aug 23

XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerabili

CVE-2021-21345 CRITICAL POC
9.9 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.9), this vulnerabi

CVE-2021-21350 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21347 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21346 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21344 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21351 CRITICAL POC
9.1 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerabi

CVE-2021-21342 CRITICAL POC
9.1 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerabi

CVE-2021-29505 HIGH POC
8.8 May 28

XStream is software for serializing Java objects to XML and back again. Rated high severity (CVSS 8.8), this vulnerabili

CVE-2020-26217 HIGH POC
8.8 Nov 16

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to ru

CVE-2021-21349 HIGH POC
8.6 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated high severity (CVSS 8.6), this vulnerability

CVE-2021-39152 HIGH POC
8.5 Aug 23

XStream is a simple library to serialize objects to XML and back again. Rated high severity (CVSS 8.5), this vulnerabili

Share

CVE-2021-39147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy