1. Home
  2. Vulnerabilities
  3. CVE-2021-43859

CVE-2021-43859

CVSS v3.1 7.5 (High)
75% Progress
CVSS v2.0 5 (Medium)
50% Progress
EPSS 1.49 % (87th)
1.49% Progress
Affected Products 10
Advisories 7
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Weaknesses
CWE-400
Uncontrolled Resource Consumption
Related CVEs
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2022-02-01 12:15:08
(2 years ago)
Updated Date
2023-11-07 03:39:28
(10 months ago)

Affected Products

Debian

Fedoraproject

Oracle

Xstream Project

Configuration #1

    CPE23 From Up To
  Xstream Project Xstream prior 1.4.19 version cpe:2.3:a:xstream_project:xstream < 1.4.19

Configuration #2

    CPE23 From Up To
  Fedoraproject Fedora 34 cpe:2.3:o:fedoraproject:fedora:34
  Fedoraproject Fedora 35 cpe:2.3:o:fedoraproject:fedora:35

Configuration #3

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0

Configuration #4

    CPE23 From Up To
  Oracle Commerce Guided Search 11.3.2 cpe:2.3:a:oracle:commerce_guided_search:11.3.2
  Oracle Communications Brm - Elastic Charging Engine prior 12.0.0.4.6 version cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine < 12.0.0.4.6
  Oracle Communications Brm - Elastic Charging Engine 12.0.0.5.0 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0
  Oracle Communications Cloud Native Core Automated Test Suite 1.9.0 cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0
  Oracle Communications Diameter Intelligence Hub from 8.0.0 version and 8.1.0 and prior versions cpe:2.3:a:oracle:communications_diameter_intelligence_hub >= 8.0.0 <= 8.1.0
  Oracle Communications Diameter Intelligence Hub from 8.2.0 version and 8.2.6 and prior versions cpe:2.3:a:oracle:communications_diameter_intelligence_hub >= 8.2.0 <= 8.2.6
  Oracle Communications Policy Management 12.6.0.0.0 cpe:2.3:a:oracle:communications_policy_management:12.6.0.0.0
  Oracle Flexcube Private Banking 12.1.0 cpe:2.3:a:oracle:flexcube_private_banking:12.1.0
  Oracle Retail Xstore Point Of Service 16.0.6 cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6
  Oracle Retail Xstore Point Of Service 17.0.4 cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4
  Oracle Retail Xstore Point Of Service 18.0.3 cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3
  Oracle Retail Xstore Point Of Service 19.0.2 cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2
  Oracle Retail Xstore Point Of Service 20.0.1 cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1