8.5
CVE-2021-39152
- EPSS 67.83%
- Published 23.08.2021 19:15:13
- Last modified 23.05.2025 16:47:47
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
Data is provided by the National Vulnerability Database (NVD)
Fedoraproject ≫ Fedora Version33
Fedoraproject ≫ Fedora Version34
Fedoraproject ≫ Fedora Version35
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
Netapp ≫ Snapmanager Version- SwPlatformoracle
Netapp ≫ Snapmanager Version- SwPlatformsap
Oracle ≫ Business Activity Monitoring Version12.2.1.4.0
Oracle ≫ Commerce Guided Search Version11.3.2
Oracle ≫ Communications Cloud Native Core Automated Test Suite Version1.9.0
Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.10.0
Oracle ≫ Communications Cloud Native Core Policy Version1.14.0
Oracle ≫ Communications Unified Inventory Management Version7.3.4
Oracle ≫ Communications Unified Inventory Management Version7.3.5
Oracle ≫ Communications Unified Inventory Management Version7.4.0
Oracle ≫ Communications Unified Inventory Management Version7.4.1
Oracle ≫ Communications Unified Inventory Management Version7.4.2
Oracle ≫ Retail Xstore Point Of Service Version16.0.6
Oracle ≫ Retail Xstore Point Of Service Version17.0.4
Oracle ≫ Retail Xstore Point Of Service Version18.0.3
Oracle ≫ Retail Xstore Point Of Service Version19.0.2
Oracle ≫ Retail Xstore Point Of Service Version20.0.1
Oracle ≫ Utilities Framework Version4.2.0.2.0
Oracle ≫ Utilities Framework Version4.2.0.3.0
Oracle ≫ Utilities Framework Version4.3.0.1.0
Oracle ≫ Utilities Framework Version4.3.0.6.0
Oracle ≫ Utilities Framework Version4.4.0.0.0
Oracle ≫ Utilities Framework Version4.4.0.2.0
Oracle ≫ Utilities Framework Version4.4.0.3.0
Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Webcenter Portal Version12.2.1.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 67.83% | 0.985 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.5 | 1.8 | 6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
|
| nvd@nist.gov | 6 | 6.8 | 6.4 |
AV:N/AC:M/Au:S/C:P/I:P/A:P
|
| security-advisories@github.com | 8.5 | 1.8 | 6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.