1. Home
  2. Vulnerabilities
  3. CVE-2021-39152

CVE-2021-39152

CVSS v3.1 8.5 (High)
85% Progress
CVSS v2.0 6 (Medium)
60% Progress
EPSS 1.90 % (89th)
1.90% Progress
Affected Products 15
Advisories 12
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.

Weaknesses
CWE-502
Deserialization of Untrusted Data
CWE-918
Server-Side Request Forgery (SSRF)
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2021-08-23 19:15:13
(3 years ago)
Updated Date
2023-11-07 03:37:34
(10 months ago)

Affected Products

Debian

Fedoraproject

Netapp

Oracle

Xstream Project

Configuration #1

    CPE23 From Up To
  Xstream Project Xstream prior 1.4.18 version cpe:2.3:a:xstream_project:xstream < 1.4.18

Configuration #2

    CPE23 From Up To
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33
  Fedoraproject Fedora 34 cpe:2.3:o:fedoraproject:fedora:34
  Fedoraproject Fedora 35 cpe:2.3:o:fedoraproject:fedora:35

Configuration #3

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0

Configuration #4

    CPE23 From Up To
  Netapp Snapmanager for Oracle cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle
  Netapp Snapmanager for Sap cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap

Configuration #5

    CPE23 From Up To
  Oracle Business Activity Monitoring 12.2.1.4.0 cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0
  Oracle Commerce Guided Search 11.3.2 cpe:2.3:a:oracle:commerce_guided_search:11.3.2
  Oracle Communications Billing And Revenue Management Elastic Charging Engine 11.3 cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3
  Oracle Communications Billing And Revenue Management Elastic Charging Engine 12.0 cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0
  Oracle Communications Cloud Native Core Automated Test Suite 1.9.0 cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0
  Oracle Communications Cloud Native Core Binding Support Function 1.10.0 cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0
  Oracle Communications Cloud Native Core Policy 1.14.0 cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0
  Oracle Communications Unified Inventory Management 7.3.4 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4
  Oracle Communications Unified Inventory Management 7.3.5 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5
  Oracle Communications Unified Inventory Management 7.4.0 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0
  Oracle Communications Unified Inventory Management 7.4.1 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
  Oracle Communications Unified Inventory Management 7.4.2 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2
  Oracle Retail Xstore Point Of Service 16.0.6 cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6
  Oracle Retail Xstore Point Of Service 17.0.4 cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4
  Oracle Retail Xstore Point Of Service 18.0.3 cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3
  Oracle Retail Xstore Point Of Service 19.0.2 cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2
  Oracle Retail Xstore Point Of Service 20.0.1 cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1
  Oracle Utilities Framework 4.2.0.2.0 cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0
  Oracle Utilities Framework 4.2.0.3.0 cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0
  Oracle Utilities Framework 4.3.0.1.0 cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0
  Oracle Utilities Framework 4.3.0.6.0 cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0
  Oracle Utilities Framework 4.4.0.0.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
  Oracle Utilities Framework 4.4.0.2.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0
  Oracle Utilities Framework 4.4.0.3.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0
  Oracle Utilities Testing Accelerator 6.0.0.1.1 cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1
  Oracle Webcenter Portal 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
  Oracle Webcenter Portal 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0