Vulnerabilities > CVE-2021-21341 - Deserialization of Untrusted Data vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

NVD

Published: 2021-03-23

Updated: 2023-11-07

Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Vulnerable Configurations

Part	Description	Count
Application	Xstream_Project Xstream Project Xstream - Xstream Project Xstream 0.2 Xstream Project Xstream 0.3 Xstream Project Xstream 0.4 Xstream Project Xstream 0.5 Xstream Project Xstream 0.6 Xstream Project Xstream 1.0 Xstream Project Xstream 1.0.1 Xstream Project Xstream 1.0.2 Xstream Project Xstream 1.1 Xstream Project Xstream 1.1.1 Xstream Project Xstream 1.1.2 Xstream Project Xstream 1.1.3 Xstream Project Xstream 1.2 Xstream Project Xstream 1.2.1 Xstream Project Xstream 1.2.2 Xstream Project Xstream 1.3 Xstream Project Xstream 1.3.1 Xstream Project Xstream 1.4 Xstream Project Xstream 1.4.1 Xstream Project Xstream 1.4.2 Xstream Project Xstream 1.4.3 Xstream Project Xstream 1.4.4 Xstream Project Xstream 1.4.5 Xstream Project Xstream 1.4.6 Xstream Project Xstream 1.4.7 Xstream Project Xstream 1.4.8 Xstream Project Xstream 1.4.9 Xstream Project Xstream 1.4.10 Xstream Project Xstream 1.4.11 Xstream Project Xstream 1.4.11.1 Xstream Project Xstream 1.4.12 Xstream Project Xstream 1.4.13 Xstream Project Xstream 1.4.14 Xstream Project Xstream 1.4.15	37
Application	Oracle Oracle Banking Platform 2.4.0 Oracle Banking Platform 2.7.1 Oracle Banking Platform 2.9.0 Oracle Banking Platform 2.12.0 Oracle Webcenter Portal 12.2.1.3.0 Oracle Webcenter Portal 11.1.1.9.0 Oracle Webcenter Portal 12.2.1.4.0 Oracle Communications Unified Inventory Management 7.3.2 Oracle Communications Unified Inventory Management 7.3.4 Oracle Communications Unified Inventory Management 7.3.5 Oracle Communications Unified Inventory Management 7.4.0 Oracle Communications Unified Inventory Management 7.4.1 Oracle Communications Billing AND Revenue Management Elastic Charging Engine 12.0.0.3.0 Oracle Business Activity Monitoring 12.2.1.3.0 Oracle Business Activity Monitoring 11.1.1.9.0 Oracle Business Activity Monitoring 12.2.1.4.0 Oracle Retail Xstore Point OF Service 16.0.6 Oracle Retail Xstore Point OF Service 17.0.4 Oracle Retail Xstore Point OF Service 18.0.3 Oracle Retail Xstore Point OF Service 19.0.2 Oracle Banking Enterprise Default Management 2.12.0 Oracle Banking Enterprise Default Management 2.10.0	22
OS	Debian Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0	3
OS	Fedoraproject Fedoraproject Fedora 33 Fedoraproject Fedora 34 Fedoraproject Fedora 35	3

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References