CVE-2021-43859

Exploit

EPSS 2.4%
Published 01.02.2022 12:15:08
Last modified 23.05.2025 16:53:31
Source security-advisories@github.com
Teams watchlist Login
Open Login

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Affected products Warnungen 0 Metrics 4 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Jenkins ≫ Jenkins Version < 2.319.3

Jenkins ≫ Jenkins Version >= 2.321 < 2.334

Xstream ≫ Xstream Version < 1.4.19

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Debian ≫ Debian Linux Version9.0

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Brm - Elastic Charging Engine Version < 12.0.0.4.6

Oracle ≫ Communications Brm - Elastic Charging Engine Version12.0.0.5.0

Oracle ≫ Communications Cloud Native Core Automated Test Suite Version1.9.0

Oracle ≫ Communications Diameter Intelligence Hub Version >= 8.0.0 <= 8.1.0

Oracle ≫ Communications Diameter Intelligence Hub Version >= 8.2.0 <= 8.2.6

Oracle ≫ Communications Policy Management Version12.6.0.0.0

Oracle ≫ Flexcube Private Banking Version12.1.0

Oracle ≫ Retail Xstore Point Of Service Version16.0.6

Oracle ≫ Retail Xstore Point Of Service Version17.0.4

Oracle ≫ Retail Xstore Point Of Service Version18.0.3

Oracle ≫ Retail Xstore Point Of Service Version19.0.2

Oracle ≫ Retail Xstore Point Of Service Version20.0.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.4%	0.845

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

http://www.openwall.com/lists/oss-security/2022/02/09/1

Third Party Advisory

Mailing List

https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846

Patch

Third Party Advisory