Vulnerabilities > CVE-2021-21342 - Deserialization of Untrusted Data vulnerability in multiple products

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

critical

NVD

Published: 2021-03-23

Updated: 2023-11-07

Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Vulnerable Configurations

Part	Description	Count
Application	Xstream_Project Xstream Project Xstream - Xstream Project Xstream 0.2 Xstream Project Xstream 0.3 Xstream Project Xstream 0.4 Xstream Project Xstream 0.5 Xstream Project Xstream 0.6 Xstream Project Xstream 1.0 Xstream Project Xstream 1.0.1 Xstream Project Xstream 1.0.2 Xstream Project Xstream 1.1 Xstream Project Xstream 1.1.1 Xstream Project Xstream 1.1.2 Xstream Project Xstream 1.1.3 Xstream Project Xstream 1.2 Xstream Project Xstream 1.2.1 Xstream Project Xstream 1.2.2 Xstream Project Xstream 1.3 Xstream Project Xstream 1.3.1 Xstream Project Xstream 1.4 Xstream Project Xstream 1.4.1 Xstream Project Xstream 1.4.2 Xstream Project Xstream 1.4.3 Xstream Project Xstream 1.4.4 Xstream Project Xstream 1.4.5 Xstream Project Xstream 1.4.6 Xstream Project Xstream 1.4.7 Xstream Project Xstream 1.4.8 Xstream Project Xstream 1.4.9 Xstream Project Xstream 1.4.10 Xstream Project Xstream 1.4.11 Xstream Project Xstream 1.4.11.1 Xstream Project Xstream 1.4.12 Xstream Project Xstream 1.4.13 Xstream Project Xstream 1.4.14 Xstream Project Xstream 1.4.15	37
Application	Oracle Oracle Banking Platform 2.4.0 Oracle Banking Platform 2.7.1 Oracle Banking Platform 2.9.0 Oracle Banking Platform 2.12.0 Oracle Webcenter Portal 12.2.1.3.0 Oracle Webcenter Portal 11.1.1.9.0 Oracle Webcenter Portal 12.2.1.4.0 Oracle Communications Unified Inventory Management 7.3.2 Oracle Communications Unified Inventory Management 7.3.4 Oracle Communications Unified Inventory Management 7.3.5 Oracle Communications Unified Inventory Management 7.4.0 Oracle Communications Unified Inventory Management 7.4.1 Oracle Communications Policy Management 12.5.0 Oracle Banking Virtual Account Management 14.3.0 Oracle Banking Virtual Account Management 14.2.0 Oracle Banking Virtual Account Management 14.5.0 Oracle Business Activity Monitoring 12.2.1.3.0 Oracle Business Activity Monitoring 11.1.1.9.0 Oracle Business Activity Monitoring 12.2.1.4.0 Oracle Retail Xstore Point OF Service 16.0.6 Oracle Retail Xstore Point OF Service 17.0.4 Oracle Retail Xstore Point OF Service 18.0.3 Oracle Retail Xstore Point OF Service 19.0.2 Oracle Banking Enterprise Default Management 2.12.0 Oracle Banking Enterprise Default Management 2.10.0 Oracle Communications BRM Elastic Charging Engine 12.0.0.3	26
OS	Debian Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0	3
OS	Fedoraproject Fedoraproject Fedora 33 Fedoraproject Fedora 34 Fedoraproject Fedora 35	3

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References