1. Home
  2. Vulnerabilities
  3. CVE-2021-29505

CVE-2021-29505

CVSS v3.1 8.8 (High)
88% Progress
CVSS v2.0 6.5 (Medium)
65% Progress
EPSS 4.71 % (93th)
4.71% Progress
Affected Products 16
Advisories 10
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

Weaknesses
CWE-502
Deserialization of Untrusted Data
CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2021-05-28 21:15:08
(3 years ago)
Updated Date
2023-11-07 03:32:38
(10 months ago)

Affected Products

Debian

Fedoraproject

Netapp

Oracle

Xstream Project

Configuration #1

    CPE23 From Up To
  Xstream Project Xstream prior 1.4.17 version cpe:2.3:a:xstream_project:xstream < 1.4.17

Configuration #2

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0

Configuration #3

    CPE23 From Up To
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33
  Fedoraproject Fedora 34 cpe:2.3:o:fedoraproject:fedora:34
  Fedoraproject Fedora 35 cpe:2.3:o:fedoraproject:fedora:35

Configuration #4

    CPE23 From Up To
  Netapp Snapmanager for Oracle cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle
  Netapp Snapmanager for Sap cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap

Configuration #5

    CPE23 From Up To
  Oracle Banking Cash Management 14.2 cpe:2.3:a:oracle:banking_cash_management:14.2
  Oracle Banking Cash Management 14.3 cpe:2.3:a:oracle:banking_cash_management:14.3
  Oracle Banking Cash Management 14.5 cpe:2.3:a:oracle:banking_cash_management:14.5
  Oracle Banking Corporate Lending Process Management 14.2.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0
  Oracle Banking Corporate Lending Process Management 14.3.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0
  Oracle Banking Corporate Lending Process Management 14.5.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0
  Oracle Banking Credit Facilities Process Management 14.2.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0
  Oracle Banking Credit Facilities Process Management 14.3.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0
  Oracle Banking Credit Facilities Process Management 14.5.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0
  Oracle Banking Supply Chain Finance 14.2.0 cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0
  Oracle Banking Trade Finance Process Management 14.5.0 cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0
  Oracle Business Activity Monitoring 11.1.1.9.0 cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0
  Oracle Business Activity Monitoring 12.2.1.3.0 cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0
  Oracle Business Activity Monitoring 12.2.1.4.0 cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0
  Oracle Communications Brm - Elastic Charging Engine 11.3 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3
  Oracle Communications Brm - Elastic Charging Engine 12.0 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0
  Oracle Communications Unified Inventory Management 7.3.4 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4
  Oracle Communications Unified Inventory Management 7.3.5 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5
  Oracle Communications Unified Inventory Management 7.4.0 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0
  Oracle Communications Unified Inventory Management 7.4.1 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
  Oracle Communications Unified Inventory Management 7.4.2 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2
  Oracle Enterprise Manager Ops Center 12.4.0.0 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0
  Oracle Retail Xstore Point Of Service 16.0.6 cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6
  Oracle Retail Xstore Point Of Service 17.0.4 cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4
  Oracle Retail Xstore Point Of Service 18.0.3 cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3
  Oracle Retail Xstore Point Of Service 19.0.2 cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2
  Oracle Retail Xstore Point Of Service 20.0.1 cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1
  Oracle Webcenter Portal 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
  Oracle Webcenter Portal 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0
  Oracle Webcenter Sites 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0
  Oracle Webcenter Sites 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0