Lucene search

GitHub Advisory DatabaseGHSA-7CHV-RRW6-W6FC

HistoryMay 18, 2021 - 6:36 p.m.

XStream is vulnerable to a Remote Command Execution attack

2021-05-1818:36:27

CWE-74

CWE-94

CWE-502

GitHub Advisory Database

github.com

xstream

remote command execution

vulnerability

security framework

patches

workarounds

cve-2021-29505

advisory

tencent security

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.047

Percentile

92.7%

JSON

Impact

The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types.

Patches

If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.17.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream’s documentation for CVE-2021-29505.

Credits

V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

Open an issue in XStream
Email us at XStream Google Group

Affected configurations

Vulners

Node

com.thoughtworks.xstreamxstreamRange<1.4.17

VendorProductVersionCPE
com.thoughtworks.xstreamxstream*cpe:2.3:a:com.thoughtworks.xstream:xstream:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
com.thoughtworks.xstream	xstream	*	cpe:2.3:a:com.thoughtworks.xstream:xstream::::::::

References

github.com/advisories/GHSA-7chv-rrw6-w6fc

github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f

github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc

lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E

lists.debian.org/debian-lts-announce/2021/07/msg00004.html

lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/

lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

nvd.nist.gov/vuln/detail/CVE-2021-29505

security.netapp.com/advisory/ntap-20210708-0007/

www.debian.org/security/2021/dsa-5004

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2022.html

www.oracle.com/security-alerts/cpuoct2021.html

x-stream.github.io/CVE-2021-29505.html

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.047

Percentile

92.7%

JSON

Related for GHSA-7CHV-RRW6-W6FC