Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2021-21349

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3:

  • Severity: High
  • Score: 8.6
  • AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v2:

  • Severity: Medium
  • Score: 5
  • AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

OWASP TOP 10:

Software From Fixed in
debian / debian_linux 9.0 9.0.x
debian / debian_linux 10.0 10.0.x
debian / debian_linux 11.0 11.0.x
fedoraproject / fedora 33 33.x
fedoraproject / fedora 34 34.x
fedoraproject / fedora 35 35.x
oracle / banking_platform 2.4.0 2.4.0.x
oracle / webcenter_portal 12.2.1.3.0 12.2.1.3.0.x
oracle / webcenter_portal 11.1.1.9.0 11.1.1.9.0.x
oracle / communications_unified_inventory_management 7.3.2 7.3.2.x
oracle / communications_unified_inventory_management 7.3.4 7.3.4.x
oracle / communications_unified_inventory_management 7.3.5 7.3.5.x
oracle / communications_unified_inventory_management 7.4.0 7.4.0.x
oracle / communications_policy_management 12.5.0 12.5.0.x
oracle / webcenter_portal 12.2.1.4.0 12.2.1.4.0.x
oracle / banking_platform 2.7.1 2.7.1.x
oracle / banking_platform 2.9.0 2.9.0.x
oracle / banking_virtual_account_management 14.3.0 14.3.0.x
oracle / communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0 12.0.0.3.0.x
oracle / business_activity_monitoring 12.2.1.3.0 12.2.1.3.0.x
oracle / business_activity_monitoring 11.1.1.9.0 11.1.1.9.0.x
oracle / business_activity_monitoring 12.2.1.4.0 12.2.1.4.0.x
oracle / communications_unified_inventory_management 7.4.1 7.4.1.x
oracle / retail_xstore_point_of_service 16.0.6 16.0.6.x
oracle / retail_xstore_point_of_service 17.0.4 17.0.4.x
oracle / retail_xstore_point_of_service 18.0.3 18.0.3.x
oracle / retail_xstore_point_of_service 19.0.2 19.0.2.x
oracle / banking_platform 2.12.0 2.12.0.x
oracle / banking_virtual_account_management 14.2.0 14.2.0.x
oracle / banking_virtual_account_management 14.5.0 14.5.0.x
oracle / banking_enterprise_default_management 2.12.0 2.12.0.x
oracle / banking_enterprise_default_management 2.10.0 2.10.0.x
oracle / graalvm 21.3.0 21.3.0.x
oracle / graalvm 20.3.4 20.3.4.x
oracle / java_se 8u311 8u311.x
oracle / java_se 7u321 7u321.x
com.thoughtworks.xstream / xstream - 1.4.16
apache / activemq - 5.15.14
apache / activemq 5.16.0 5.16.0.x
apache / activemq 5.16.1 5.16.1.x
apache / jmeter - 5.5
xstream / xstream - 1.4.16