8.8

CVE-2021-29505

XStream is vulnerable to a Remote Command Execution attack

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
XstreamXstream Version < 1.4.17
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
FedoraprojectFedora Version33
FedoraprojectFedora Version34
FedoraprojectFedora Version35
NetappSnapmanager Version- SwPlatformoracle
NetappSnapmanager Version- SwPlatformsap
OracleBusiness Activity Monitoring Version11.1.1.9.0
OracleBusiness Activity Monitoring Version12.2.1.3.0
OracleBusiness Activity Monitoring Version12.2.1.4.0
OracleRetail Customer Insights Version15.0.2
OracleRetail Customer Insights Version16.0.2
OracleWebcenter Portal Version12.2.1.3.0
OracleWebcenter Portal Version12.2.1.4.0
OracleWebcenter Sites Version12.2.1.3.0
OracleWebcenter Sites Version12.2.1.4.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 77.74% 0.995
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
security-advisories@github.com 7.5 1.6 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory
Mailing List
https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
Mailing List
https://www.debian.org/security/2021/dsa-5004
Third Party Advisory
https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
Patch
Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
Third Party Advisory
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E
Mailing List
Issue Tracking
https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
Third Party Advisory
Mailing List
https://security.netapp.com/advisory/ntap-20210708-0007/
Third Party Advisory
https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
https://security.netapp.com/advisory/ntap-20210708-0007
https://x-stream.github.io/CVE-2021-29505.html