Vulnerabilities > CVE-2021-21349 - Deserialization of Untrusted Data vulnerability in multiple products

CVSS 8.6 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

NVD

Published: 2021-03-23

Updated: 2023-11-07

Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Vulnerable Configurations

Part	Description	Count
Application	Xstream_Project Xstream Project Xstream - Xstream Project Xstream 0.2 Xstream Project Xstream 0.3 Xstream Project Xstream 0.4 Xstream Project Xstream 0.5 Xstream Project Xstream 0.6 Xstream Project Xstream 1.0 Xstream Project Xstream 1.0.1 Xstream Project Xstream 1.0.2 Xstream Project Xstream 1.1 Xstream Project Xstream 1.1.1 Xstream Project Xstream 1.1.2 Xstream Project Xstream 1.1.3 Xstream Project Xstream 1.2 Xstream Project Xstream 1.2.1 Xstream Project Xstream 1.2.2 Xstream Project Xstream 1.3 Xstream Project Xstream 1.3.1 Xstream Project Xstream 1.4 Xstream Project Xstream 1.4.1 Xstream Project Xstream 1.4.2 Xstream Project Xstream 1.4.3 Xstream Project Xstream 1.4.4 Xstream Project Xstream 1.4.5 Xstream Project Xstream 1.4.6 Xstream Project Xstream 1.4.7 Xstream Project Xstream 1.4.8 Xstream Project Xstream 1.4.9 Xstream Project Xstream 1.4.10 Xstream Project Xstream 1.4.11 Xstream Project Xstream 1.4.11.1 Xstream Project Xstream 1.4.12 Xstream Project Xstream 1.4.13 Xstream Project Xstream 1.4.14 Xstream Project Xstream 1.4.15	37
Application	Oracle Oracle Banking Platform 2.4.0 Oracle Banking Platform 2.7.1 Oracle Banking Platform 2.9.0 Oracle Banking Platform 2.12.0 Oracle Webcenter Portal 12.2.1.3.0 Oracle Webcenter Portal 11.1.1.9.0 Oracle Webcenter Portal 12.2.1.4.0 Oracle Communications Unified Inventory Management 7.3.2 Oracle Communications Unified Inventory Management 7.3.4 Oracle Communications Unified Inventory Management 7.3.5 Oracle Communications Unified Inventory Management 7.4.0 Oracle Communications Unified Inventory Management 7.4.1 Oracle Communications Policy Management 12.5.0 Oracle Banking Virtual Account Management 14.3.0 Oracle Banking Virtual Account Management 14.2.0 Oracle Banking Virtual Account Management 14.5.0 Oracle Communications Billing AND Revenue Management Elastic Charging Engine 12.0.0.3.0 Oracle Business Activity Monitoring 12.2.1.3.0 Oracle Business Activity Monitoring 11.1.1.9.0 Oracle Business Activity Monitoring 12.2.1.4.0 Oracle Retail Xstore Point OF Service 16.0.6 Oracle Retail Xstore Point OF Service 17.0.4 Oracle Retail Xstore Point OF Service 18.0.3 Oracle Retail Xstore Point OF Service 19.0.2 Oracle Banking Enterprise Default Management 2.12.0 Oracle Banking Enterprise Default Management 2.10.0 Oracle Graalvm 21.3.0 Oracle Graalvm 20.3.4 Oracle Java SE 8U311 Oracle Java SE 7U321	30
OS	Debian Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0	3
OS	Fedoraproject Fedoraproject Fedora 33 Fedoraproject Fedora 34 Fedoraproject Fedora 35	3

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References