XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f cve-icon cve-icon
https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227 cve-icon cve-icon
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E cve-icon
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7 cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-29505 cve-icon
https://security.netapp.com/advisory/ntap-20210708-0007 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20210708-0007/ cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-29505 cve-icon
https://www.debian.org/security/2021/dsa-5004 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2021.html cve-icon cve-icon
https://x-stream.github.io/CVE-2021-29505.html cve-icon cve-icon cve-icon
History

Thu, 29 May 2025 23:45:00 +0000


Fri, 23 May 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle retail Customer Insights
Xstream
Xstream xstream
CPEs cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*
cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
Vendors & Products Xstream Project
Xstream Project xstream
Oracle retail Customer Insights
Xstream
Xstream xstream

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-05-29T23:30:31.977Z

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29505

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-05-28T21:15:08.713

Modified: 2025-05-30T00:15:20.543

Link: CVE-2021-29505

cve-icon Redhat

Severity : Important

Publid Date: 2021-05-14T00:00:00Z

Links: CVE-2021-29505 - Bugzilla

cve-icon OpenCVE Enrichment

No data.