{"containers": {"cna": {"affected": [{"product": "xstream", "vendor": "x-stream", "versions": [{"status": "affected", "version": "< 1.4.16"}]}], "descriptions": [{"lang": "en", "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-07T14:41:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://x-stream.github.io/security.html#workaround"}, {"tags": ["x_refsource_MISC"], "url": "http://x-stream.github.io/changes.html#1.4.16"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf"}, {"tags": ["x_refsource_MISC"], "url": "https://x-stream.github.io/CVE-2021-21343.html"}, {"name": "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"}, {"name": "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E"}, {"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210430-0002/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "FEDORA-2021-fbad11014a", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"}, {"name": "FEDORA-2021-d894ca87dc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "FEDORA-2021-5e376c0ed9", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"}, {"name": "DSA-5004", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-5004"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}], "source": {"advisory": "GHSA-74cv-f58x-f9wf", "discovery": "UNKNOWN"}, "title": "XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21343", "STATE": "PUBLIC", "TITLE": "XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xstream", "version": {"version_data": [{"version_value": "< 1.4.16"}]}}]}, "vendor_name": "x-stream"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-73 External Control of File Name or Path"}]}, {"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://x-stream.github.io/security.html#workaround", "refsource": "MISC", "url": "https://x-stream.github.io/security.html#workaround"}, {"name": "http://x-stream.github.io/changes.html#1.4.16", "refsource": "MISC", "url": "http://x-stream.github.io/changes.html#1.4.16"}, {"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf", "refsource": "CONFIRM", "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf"}, {"name": "https://x-stream.github.io/CVE-2021-21343.html", "refsource": "MISC", "url": "https://x-stream.github.io/CVE-2021-21343.html"}, {"name": "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"}, {"name": "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"}, {"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"}, {"name": "https://security.netapp.com/advisory/ntap-20210430-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210430-0002/"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "FEDORA-2021-fbad11014a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"}, {"name": "FEDORA-2021-d894ca87dc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "FEDORA-2021-5e376c0ed9", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"}, {"name": "DSA-5004", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-5004"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}]}, "source": {"advisory": "GHSA-74cv-f58x-f9wf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.634Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://x-stream.github.io/security.html#workaround"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://x-stream.github.io/changes.html#1.4.16"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://x-stream.github.io/CVE-2021-21343.html"}, {"name": "[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"}, {"name": "[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E"}, {"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210430-0002/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "FEDORA-2021-fbad11014a", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"}, {"name": "FEDORA-2021-d894ca87dc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "FEDORA-2021-5e376c0ed9", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"}, {"name": "DSA-5004", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-5004"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21343", "datePublished": "2021-03-22T23:40:34", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.634Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3A13328-A34B-4FB7-AF93-822E53165528", "versionEndExcluding": "1.4.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "74C7E2F1-17FC-4322-A5C3-F7EB612BA4F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "320D36DA-D99F-4149-B582-3F4AB2F41A1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2BEE49E-A5AA-42D3-B422-460454505480", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "AB9FC9AB-1070-420F-870E-A5EC43A924A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "BDC6D658-09EA-4C41-869F-1C2EA163F751", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D1534C11-E3F5-49F3-8F8D-7C5C90951E69", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "1111BCFD-E336-4B31-A87E-76C684AC6DE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "CC723E79-8F35-417B-B9D9-6A707F74C1EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "5700C2E9-5FF2-48EF-AD85-3C03EDA76536", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BA8461A2-428C-4817-92A9-0C671545698D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "3784BE26-B268-40F3-9B10-88E50A4400AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5312AC7A-3C16-4967-ACA6-317289A749D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "1B58BCDA-E173-4D4A-A9C5-E9BFF7E57F58", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "539DA24F-E3E0-4455-84C6-A9D96CD601B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A7637F8B-15F1-42E2-BE18-E1FF7C66587D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "490B2C44-CECD-4551-B04F-4076D0E053C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "DEC41EB8-73B4-4BDF-9321-F34EC0BAF9E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "48EFC111-B01B-4C34-87E4-D6B2C40C0122", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "073FEA23-E46A-4C73-9D29-95CFF4F5A59D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7756147-7168-4E03-93EE-31379F6BE88E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16."}, {"lang": "es", "value": "XStream es una biblioteca de Java para serializar objetos a XML y viceversa. En XStream anterior a la versi\u00f3n 1.4.16, se presenta una vulnerabilidad en el que el flujo procesado en el momento de la descompensaci\u00f3n contiene informaci\u00f3n de tipo para recrear los objetos escritos anteriormente. XStream crea, por tanto, nuevas instancias basadas en este tipo de informaci\u00f3n. Un atacante puede manipular el flujo de entrada procesado y reemplazar o inyectar objetos, que resulta en la eliminaci\u00f3n de un archivo en el host local. Ning\u00fan usuario est\u00e1 afectado, si sigui\u00f3 la recomendaci\u00f3n de configurar el framework de seguridad de XStream con una lista blanca limitada a los tipos m\u00ednimos requeridos. Si conf\u00eda en la lista negra predeterminada de XStream del Framework de Seguridad, tendr\u00e1 que usar al menos la versi\u00f3n 1.4.16"}], "id": "CVE-2021-21343", "lastModified": "2024-11-21T05:48:04.137", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-23T00:15:12.600", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "http://x-stream.github.io/changes.html#1.4.16"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf"}, {"source": "security-advisories@github.com", "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"}, {"source": "security-advisories@github.com", "url": "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210430-0002/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5004"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://x-stream.github.io/CVE-2021-21343.html"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://x-stream.github.io/security.html#workaround"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "http://x-stream.github.io/changes.html#1.4.16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210430-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5004"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://x-stream.github.io/CVE-2021-21343.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://x-stream.github.io/security.html#workaround"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2139", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "impact": "low", "package": "xstream", "product_name": "Red Hat Data Grid 8.2.0", "release_date": "2021-05-26T00:00:00Z"}, {"advisory": "RHSA-2021:5134", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "xstream", "product_name": "Red Hat Fuse 7.10", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:4918", "cpe": "cpe:/a:redhat:integration:1", "package": "xstream", "product_name": "Red Hat Integration", "release_date": "2021-12-02T00:00:00Z"}, {"advisory": "RHSA-2021:4767", "cpe": "cpe:/a:redhat:camel_quarkus:2.2", "impact": "moderate", "package": "xstream", "product_name": "Red Hat Integration Camel Quarkus 2", "release_date": "2021-11-23T00:00:00Z"}, {"advisory": "RHSA-2021:2476", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.11", "package": "xstream", "product_name": "RHDM 7.11.0", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2475", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.11", "package": "xstream", "product_name": "RHPAM 7.11.0", "release_date": "2021-06-17T00:00:00Z"}], "bugzilla": {"description": "XStream: arbitrary file deletion on the local host via crafted input stream", "id": "1942550", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942550"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-502->CWE-552", "details": ["XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16."], "name": "CVE-2021-21343", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Affected", "package_name": "xstream", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "impact": "low", "package_name": "xstream", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21343\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21343"], "statement": "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", "threat_severity": "Moderate"}