CVE-2021-21342

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
References
Link Resource
http://x-stream.github.io/changes.html#1.4.16 Release Notes Third Party Advisory
https://x-stream.github.io/CVE-2021-21342.html Exploit Third Party Advisory
https://x-stream.github.io/security.html#workaround Mitigation Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20210430-0002/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*

Information

Published : 2021-03-23 12:15

Updated : 2022-02-16 02:50


NVD link : CVE-2021-21342

Mitre link : CVE-2021-21342

Products Affected
No products.
CWE
CWE-502

Deserialization of Untrusted Data

CWE-918

Server-Side Request Forgery (SSRF)