Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2021-21343

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3:

  • Severity: High
  • Score: 7.5
  • AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

  • Severity: Medium
  • Score: 5
  • AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

OWASP TOP 10:

Software From Fixed in
debian / debian_linux 9.0 9.0.x
debian / debian_linux 10.0 10.0.x
debian / debian_linux 11.0 11.0.x
fedoraproject / fedora 33 33.x
fedoraproject / fedora 34 34.x
fedoraproject / fedora 35 35.x
oracle / banking_platform 2.4.0 2.4.0.x
oracle / webcenter_portal 12.2.1.3.0 12.2.1.3.0.x
oracle / webcenter_portal 11.1.1.9.0 11.1.1.9.0.x
oracle / communications_unified_inventory_management 7.3.2 7.3.2.x
oracle / communications_unified_inventory_management 7.3.4 7.3.4.x
oracle / communications_unified_inventory_management 7.3.5 7.3.5.x
oracle / communications_unified_inventory_management 7.4.0 7.4.0.x
oracle / communications_policy_management 12.5.0 12.5.0.x
oracle / webcenter_portal 12.2.1.4.0 12.2.1.4.0.x
oracle / banking_platform 2.7.1 2.7.1.x
oracle / banking_platform 2.9.0 2.9.0.x
oracle / banking_virtual_account_management 14.3.0 14.3.0.x
oracle / communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0 12.0.0.3.0.x
oracle / business_activity_monitoring 12.2.1.3.0 12.2.1.3.0.x
oracle / business_activity_monitoring 11.1.1.9.0 11.1.1.9.0.x
oracle / business_activity_monitoring 12.2.1.4.0 12.2.1.4.0.x
oracle / communications_unified_inventory_management 7.4.1 7.4.1.x
oracle / retail_xstore_point_of_service 16.0.6 16.0.6.x
oracle / retail_xstore_point_of_service 17.0.4 17.0.4.x
oracle / retail_xstore_point_of_service 18.0.3 18.0.3.x
oracle / retail_xstore_point_of_service 19.0.2 19.0.2.x
oracle / banking_platform 2.12.0 2.12.0.x
oracle / banking_virtual_account_management 14.2.0 14.2.0.x
oracle / banking_virtual_account_management 14.5.0 14.5.0.x
oracle / banking_enterprise_default_management 2.12.0 2.12.0.x
oracle / banking_enterprise_default_management 2.10.0 2.10.0.x
com.thoughtworks.xstream / xstream - 1.4.16
apache / activemq - 5.15.14
apache / activemq 5.16.0 5.16.0.x
apache / activemq 5.16.1 5.16.1.x
apache / jmeter - 5.5
xstream / xstream - 1.4.16