CVE-2021-29505
Summary
| CVE | CVE-2021-29505 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-05-28 21:15:00 UTC |
| Updated | 2023-11-07 03:32:00 UTC |
| Description | XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17. |
Risk And Classification
Problem Types: CWE-94 | CWE-502
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Oracle | * | 14.3.0 | All | All | All |
| Application | Oracle | Banking Cash Management | 14.2 | All | All | All |
| Application | Oracle | Banking Cash Management | 14.3 | All | All | All |
| Application | Oracle | Banking Cash Management | 14.5 | All | All | All |
| Application | Oracle | Banking Corporate Lending Process Management | 14.2.0 | All | All | All |
| Application | Oracle | Banking Corporate Lending Process Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Corporate Lending Process Management | 14.5.0 | All | All | All |
| Application | Oracle | Banking Credit Facilities Process Management | 14.2.0 | All | All | All |
| Application | Oracle | Banking Credit Facilities Process Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Credit Facilities Process Management | 14.5.0 | All | All | All |
| Application | Oracle | Banking Supply Chain Finance | 14.2.0 | All | All | All |
| Application | Oracle | Banking Trade Finance Process Management | 14.5.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Communications Brm - Elastic Charging Engine | 11.3 | All | All | All |
| Application | Oracle | Communications Brm - Elastic Charging Engine | 12.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.4 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.5 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.1 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.2 | All | All | All |
| Application | Oracle | Enterprise Manager Ops Center | 12.4.0.0 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 20.0.1 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.4.0 | All | All | All |
| Application | Xstream Project | Xstream | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| XStream is vulnerable to a Remote Command Execution attack · Advisory · x-stream/xstream · GitHub | CONFIRM | github.com | |
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] [DLA 2704-1] libxstream-java security update | MLIST | lists.debian.org | |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| Add description of CVE-2021-29505 and bug fix. · x-stream/xstream@24fac82 · GitHub | MISC | github.com | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Debian -- Security Information -- DSA-5004-1 libxstream-java | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE-2021-29505 XStream Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [jmeter-dev] 20210607 [GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16) | lists.apache.org | ||
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159301 Oracle Enterprise Linux Security Update for xstream (ELSA-2021-2683)
- 178698 Debian Security Update for libxstream-java (DLA 2704-1)
- 178889 Debian Security Update for libxstream-java (DSA 5004-1)
- 178890 Debian Security Update for libxstream-java (DSA 5004-1)
- 180124 Debian Security Update for libxstream-java (CVE-2021-29505)
- 239481 Red Hat Update for xstream (RHSA-2021:2683)
- 257097 CentOS Security Update for xstream (CESA-2021:2683)
- 281980 Fedora Security Update for xstream (FEDORA-2021-d894ca87dc)
- 281981 Fedora Security Update for xstream (FEDORA-2021-fbad11014a)
- 352501 Amazon Linux Security Advisory for xstream: ALAS2-2021-1698
- 375827 XStream Arbitrary Code Execution And Multiple vulnerabilities
- 377183 Alibaba Cloud Linux Security Update for xstream (ALINUX2-SA-2021:0043)
- 730168 Atlassian Jira Server And Data Center Multiple Security Vulnerabilities (JRASERVER-72669, JRASERVER-72575, JRASERVER-72597)
- 750658 SUSE Enterprise Linux Security Update for xstream (SUSE-SU-2021:1995-1)
- 750718 OpenSUSE Security Update for xstream (openSUSE-SU-2021:0911-1)
- 750779 OpenSUSE Security Update for xstream (openSUSE-SU-2021:1995-1)
- 980137 Java (maven) Security Update for com.thoughtworks.xstream:xstream (GHSA-7chv-rrw6-w6fc)