Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2021-21345

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3:

  • Severity: Critical
  • Score: 9.9
  • AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2:

  • Severity: Medium
  • Score: 6.5
  • AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

OWASP TOP 10:

Software From Fixed in
debian / debian_linux 9.0 9.0.x
debian / debian_linux 10.0 10.0.x
debian / debian_linux 11.0 11.0.x
fedoraproject / fedora 33 33.x
fedoraproject / fedora 34 34.x
fedoraproject / fedora 35 35.x
oracle / banking_platform 2.4.0 2.4.0.x
oracle / webcenter_portal 12.2.1.3.0 12.2.1.3.0.x
oracle / webcenter_portal 11.1.1.9.0 11.1.1.9.0.x
oracle / communications_unified_inventory_management 7.3.2 7.3.2.x
oracle / communications_unified_inventory_management 7.3.4 7.3.4.x
oracle / communications_unified_inventory_management 7.3.5 7.3.5.x
oracle / communications_unified_inventory_management 7.4.0 7.4.0.x
oracle / communications_policy_management 12.5.0 12.5.0.x
oracle / peoplesoft_enterprise_peopletools 8.58 8.58.x
oracle / webcenter_portal 12.2.1.4.0 12.2.1.4.0.x
oracle / banking_platform 2.7.1 2.7.1.x
oracle / banking_platform 2.9.0 2.9.0.x
oracle / banking_virtual_account_management 14.3.0 14.3.0.x
oracle / communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0 12.0.0.3.0.x
oracle / business_activity_monitoring 12.2.1.3.0 12.2.1.3.0.x
oracle / business_activity_monitoring 11.1.1.9.0 11.1.1.9.0.x
oracle / business_activity_monitoring 12.2.1.4.0 12.2.1.4.0.x
oracle / peoplesoft_enterprise_peopletools 8.59 8.59.x
oracle / communications_unified_inventory_management 7.4.1 7.4.1.x
oracle / retail_xstore_point_of_service 16.0.6 16.0.6.x
oracle / retail_xstore_point_of_service 17.0.4 17.0.4.x
oracle / retail_xstore_point_of_service 18.0.3 18.0.3.x
oracle / retail_xstore_point_of_service 19.0.2 19.0.2.x
oracle / banking_platform 2.12.0 2.12.0.x
oracle / banking_virtual_account_management 14.2.0 14.2.0.x
oracle / banking_virtual_account_management 14.5.0 14.5.0.x
oracle / banking_enterprise_default_management 2.12.0 2.12.0.x
oracle / banking_enterprise_default_management 2.10.0 2.10.0.x
com.thoughtworks.xstream / xstream - 1.4.16
apache / activemq - 5.15.14
apache / activemq 5.16.0 5.16.0.x
apache / activemq 5.16.1 5.16.1.x
apache / jmeter - 5.5
xstream / xstream - 1.4.16