9.8
CVE-2021-21346
- EPSS 3.97%
- Veröffentlicht 23.03.2021 00:15:12
- Zuletzt bearbeitet 23.05.2025 17:41:29
- Quelle security-advisories@github.com
- Teams Watchlist Login
- Unerledigt Login
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Netapp ≫ Oncommand Insight Version-
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
Fedoraproject ≫ Fedora Version33
Fedoraproject ≫ Fedora Version34
Fedoraproject ≫ Fedora Version35
Oracle ≫ Banking Enterprise Default Management Version2.10.0
Oracle ≫ Banking Enterprise Default Management Version2.12.0
Oracle ≫ Banking Platform Version2.4.0
Oracle ≫ Banking Platform Version2.7.1
Oracle ≫ Banking Platform Version2.9.0
Oracle ≫ Banking Platform Version2.12.0
Oracle ≫ Banking Virtual Account Management Version14.2.0
Oracle ≫ Banking Virtual Account Management Version14.3.0
Oracle ≫ Banking Virtual Account Management Version14.5.0
Oracle ≫ Bi Publisher Version5.5.0.0.0
Oracle ≫ Bi Publisher Version12.2.1.3.0
Oracle ≫ Bi Publisher Version12.2.1.4.0
Oracle ≫ Business Activity Monitoring Version11.1.1.9.0
Oracle ≫ Business Activity Monitoring Version12.2.1.3.0
Oracle ≫ Business Activity Monitoring Version12.2.1.4.0
Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version12.0.0.3.0
Oracle ≫ Communications Policy Management Version12.5.0
Oracle ≫ Communications Unified Inventory Management Version7.3.2
Oracle ≫ Communications Unified Inventory Management Version7.3.4
Oracle ≫ Communications Unified Inventory Management Version7.3.5
Oracle ≫ Communications Unified Inventory Management Version7.4.0
Oracle ≫ Communications Unified Inventory Management Version7.4.1
Oracle ≫ Retail Xstore Point Of Service Version16.0.6
Oracle ≫ Retail Xstore Point Of Service Version17.0.4
Oracle ≫ Retail Xstore Point Of Service Version18.0.3
Oracle ≫ Retail Xstore Point Of Service Version19.0.2
Oracle ≫ Webcenter Portal Version11.1.1.9.0
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Webcenter Portal Version12.2.1.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.97% | 0.88 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| security-advisories@github.com | 6.1 | 1.6 | 4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.