Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2021-29505

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

CVSS v3:

  • Severity: High
  • Score: 8.8
  • AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

  • Severity: Medium
  • Score: 6.5
  • AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

OWASP TOP 10:

Software From Fixed in
debian / debian_linux 9.0 9.0.x
debian / debian_linux 10.0 10.0.x
debian / debian_linux 11.0 11.0.x
fedoraproject / fedora 33 33.x
fedoraproject / fedora 34 34.x
fedoraproject / fedora 35 35.x
oracle / webcenter_portal 12.2.1.3.0 12.2.1.3.0.x
oracle / webcenter_sites 12.2.1.3.0 12.2.1.3.0.x
oracle / communications_unified_inventory_management 7.3.4 7.3.4.x
oracle / communications_unified_inventory_management 7.3.5 7.3.5.x
oracle / communications_unified_inventory_management 7.4.0 7.4.0.x
oracle / webcenter_sites 12.2.1.4.0 12.2.1.4.0.x
oracle / webcenter_portal 12.2.1.4.0 12.2.1.4.0.x
oracle / enterprise_manager_ops_center 12.4.0.0 12.4.0.0.x
oracle / banking_credit_facilities_process_management 14.3.0 14.3.0.x
oracle / banking_corporate_lending_process_management 14.3.0 14.3.0.x
oracle / business_activity_monitoring 12.2.1.3.0 12.2.1.3.0.x
oracle / business_activity_monitoring 11.1.1.9.0 11.1.1.9.0.x
oracle / business_activity_monitoring 12.2.1.4.0 12.2.1.4.0.x
oracle / communications_unified_inventory_management 7.4.1 7.4.1.x
oracle / retail_xstore_point_of_service 16.0.6 16.0.6.x
oracle / retail_xstore_point_of_service 17.0.4 17.0.4.x
oracle / retail_xstore_point_of_service 18.0.3 18.0.3.x
oracle / retail_xstore_point_of_service 19.0.2 19.0.2.x
oracle / retail_xstore_point_of_service 20.0.1 20.0.1.x
oracle / banking_supply_chain_finance 14.2.0 14.2.0.x
oracle / banking_trade_finance_process_management 14.5.0 14.5.0.x
oracle / banking_credit_facilities_process_management 14.2.0 14.2.0.x
oracle / banking_credit_facilities_process_management 14.5.0 14.5.0.x
oracle / banking_corporate_lending_process_management 14.2.0 14.2.0.x
oracle / banking_corporate_lending_process_management 14.5.0 14.5.0.x
oracle / banking_cash_management 14.2 14.2.x
oracle / banking_cash_management 14.3 14.3.x
oracle / banking_cash_management 14.5 14.5.x
oracle / communications_brm_-_elastic_charging_engine 12.0 12.0.x
oracle / communications_brm_-_elastic_charging_engine 11.3 11.3.x
oracle / communications_unified_inventory_management 7.4.2 7.4.2.x
com.thoughtworks.xstream / xstream - 1.4.17
xstream / xstream - 1.4.17
oracle / retail_customer_insights 15.0.2 15.0.2.x
oracle / retail_customer_insights 16.0.2 16.0.2.x