CVE-2021-39144

Warnung

Exploit

EPSS 94.41%
Veröffentlicht 23.08.2021 18:15:12
Zuletzt bearbeitet 23.05.2025 16:49:25
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 3 Referenzen 15

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xstream ≫ Xstream Version < 1.4.18

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Netapp ≫ Snapmanager Version- SwPlatformoracle

Netapp ≫ Snapmanager Version- SwPlatformsap

Oracle ≫ Business Activity Monitoring Version12.2.1.4.0

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version11.3

Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version12.0

Oracle ≫ Communications Cloud Native Core Automated Test Suite Version1.9.0

Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.10.0

Oracle ≫ Communications Cloud Native Core Policy Version1.14.0

Oracle ≫ Communications Unified Inventory Management Version7.3.4

Oracle ≫ Communications Unified Inventory Management Version7.3.5

Oracle ≫ Communications Unified Inventory Management Version7.4.0

Oracle ≫ Communications Unified Inventory Management Version7.4.1

Oracle ≫ Communications Unified Inventory Management Version7.4.2

Oracle ≫ Retail Xstore Point Of Service Version16.0.6

Oracle ≫ Retail Xstore Point Of Service Version17.0.4

Oracle ≫ Retail Xstore Point Of Service Version18.0.3

Oracle ≫ Retail Xstore Point Of Service Version19.0.2

Oracle ≫ Retail Xstore Point Of Service Version20.0.1

Oracle ≫ Utilities Framework Version4.2.0.2.0

Oracle ≫ Utilities Framework Version4.2.0.3.0

Oracle ≫ Utilities Framework Version4.3.0.1.0

Oracle ≫ Utilities Framework Version4.3.0.6.0

Oracle ≫ Utilities Framework Version4.4.0.0.0

Oracle ≫ Utilities Framework Version4.4.0.2.0

Oracle ≫ Utilities Framework Version4.4.0.3.0

Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Oracle ≫ Webcenter Portal Version12.2.1.4.0

10.03.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

XStream Remote Code Execution Vulnerability

Schwachstelle

XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.41%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P
security-advisories@github.com	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

Mailing List

Release Notes