CVE-2021-29505
XStream is vulnerable to a Remote Command Execution attack
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
XStream es un software para serializar objetos Java a XML y viceversa. Una vulnerabilidad en las versiones de XStream anteriores a la versión 1.4.17 puede permitir a un atacante remoto que tenga derechos suficientes ejecutar comandos del host sólo manipulando el flujo de entrada procesado. Ningún usuario que haya seguido la recomendación de configurar el marco de seguridad de XStream con una lista blanca limitada a los tipos mínimos necesarios está afectado. La vulnerabilidad está parcheada en la versión 1.4.17
A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-03-30 CVE Reserved
- 2021-05-28 CVE Published
- 2021-06-08 First Exploit
- 2024-08-03 CVE Updated
- 2024-10-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc | Third Party Advisory | |
| https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E | Mailing List | |
| https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20210708-0007 | Third Party Advisory |
|
| https://www.oracle.com/security-alerts/cpujul2022.html | X_refsource_misc |
|
| https://www.oracle.com/security-alerts/cpuoct2021.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/MyBlackManba/CVE-2021-29505 | 2021-06-08 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xstream Project Search vendor "Xstream Project" | Xstream Search vendor "Xstream Project" for product "Xstream" | < 1.4.17 Search vendor "Xstream Project" for product "Xstream" and version " < 1.4.17" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | oracle |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | sap |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management" | 14.2 Search vendor "Oracle" for product "Banking Cash Management" and version "14.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management" | 14.3 Search vendor "Oracle" for product "Banking Cash Management" and version "14.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management" | 14.5 Search vendor "Oracle" for product "Banking Cash Management" and version "14.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.2.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.3.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.5.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.2.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.3.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.5.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.2.0 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.5.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring" | 11.1.1.9.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "11.1.1.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 11.3 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "11.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 12.0 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.3.4 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.3.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.3.5 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.3.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.0 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Ops Center Search vendor "Oracle" for product "Enterprise Manager Ops Center" | 12.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Sites Search vendor "Oracle" for product "Webcenter Sites" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Sites Search vendor "Oracle" for product "Webcenter Sites" | 12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.4.0" | - |
Affected
| ||||||