1. Home
  2. Vulnerabilities
  3. CVE-2021-21346

CVE-2021-21346

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 1.80 % (88th)
1.80% Progress
Affected Products 13
Advisories 13
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Weaknesses
CWE-434
Unrestricted Upload of File with Dangerous Type
CWE-502
Deserialization of Untrusted Data
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2021-03-23 00:15:12
(3 years ago)
Updated Date
2023-11-07 03:29:54
(10 months ago)

Affected Products

Debian

Fedoraproject

Oracle

Xstream Project

Configuration #1

    CPE23 From Up To
  Xstream Project Xstream prior 1.4.16 version cpe:2.3:a:xstream_project:xstream < 1.4.16

Configuration #2

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0

Configuration #3

    CPE23 From Up To
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33
  Fedoraproject Fedora 34 cpe:2.3:o:fedoraproject:fedora:34
  Fedoraproject Fedora 35 cpe:2.3:o:fedoraproject:fedora:35

Configuration #4

    CPE23 From Up To
  Oracle Banking Enterprise Default Management 2.10.0 cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0
  Oracle Banking Enterprise Default Management 2.12.0 cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0
  Oracle Banking Platform 2.4.0 cpe:2.3:a:oracle:banking_platform:2.4.0
  Oracle Banking Platform 2.7.1 cpe:2.3:a:oracle:banking_platform:2.7.1
  Oracle Banking Platform 2.9.0 cpe:2.3:a:oracle:banking_platform:2.9.0
  Oracle Banking Platform 2.12.0 cpe:2.3:a:oracle:banking_platform:2.12.0
  Oracle Banking Virtual Account Management 14.2.0 cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0
  Oracle Banking Virtual Account Management 14.3.0 cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0
  Oracle Banking Virtual Account Management 14.5.0 cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0
  Oracle Bi Publisher 5.5.0.0.0 cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0
  Oracle Bi Publisher 12.2.1.3.0 cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0
  Oracle Bi Publisher 12.2.1.4.0 cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0
  Oracle Business Activity Monitoring 11.1.1.9.0 cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0
  Oracle Business Activity Monitoring 12.2.1.3.0 cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0
  Oracle Business Activity Monitoring 12.2.1.4.0 cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0
  Oracle Communications Billing And Revenue Management Elastic Charging Engine 12.0.0.3.0 cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0
  Oracle Communications Policy Management 12.5.0 cpe:2.3:a:oracle:communications_policy_management:12.5.0
  Oracle Communications Unified Inventory Management 7.3.2 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2
  Oracle Communications Unified Inventory Management 7.3.4 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4
  Oracle Communications Unified Inventory Management 7.3.5 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5
  Oracle Communications Unified Inventory Management 7.4.0 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0
  Oracle Communications Unified Inventory Management 7.4.1 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
  Oracle Retail Xstore Point Of Service 16.0.6 cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6
  Oracle Retail Xstore Point Of Service 17.0.4 cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4
  Oracle Retail Xstore Point Of Service 18.0.3 cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3
  Oracle Retail Xstore Point Of Service 19.0.2 cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2
  Oracle Webcenter Portal 11.1.1.9.0 cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0
  Oracle Webcenter Portal 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
  Oracle Webcenter Portal 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0