CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
92.7%
The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStreamβs security framework with a whitelist limited to the minimal required types.
If you rely on XStreamβs default blacklist of the Security Framework, you will have to use at least version 1.4.17.
See workarounds for the different versions covering all CVEs.
See full information about the nature of the vulnerability and the steps to reproduce it in XStreamβs documentation for CVE-2021-29505.
V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
com.thoughtworks.xstream | xstream | * | cpe:2.3:a:com.thoughtworks.xstream:xstream:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-7chv-rrw6-w6fc
github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
lists.debian.org/debian-lts-announce/2021/07/msg00004.html
lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
nvd.nist.gov/vuln/detail/CVE-2021-29505
security.netapp.com/advisory/ntap-20210708-0007/
www.debian.org/security/2021/dsa-5004
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpujul2022.html
www.oracle.com/security-alerts/cpuoct2021.html
x-stream.github.io/CVE-2021-29505.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
92.7%