CVE-2021-29505 : XStream is software for serializing Java objects to XML and back again. A vulner

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

Published 2021-05-28 21:15:09

Updated 2022-07-25 18:15:42

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-29505

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Sites » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Sites » Version: 12.2.1.4.0
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 16.0.6
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 17.0.4
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 18.0.3
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 19.0.2
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 20.0.1
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Ops Center » Version: 12.4.0.0
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.4.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.3.4
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.3.5
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.4.0
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.4.1
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.4.2
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
Matching versions
Oracle » Business Activity Monitoring » Version: 11.1.1.9.0
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Activity Monitoring » Version: 12.2.1.3.0
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Activity Monitoring » Version: 12.2.1.4.0
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.3.0
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.2.0
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.5.0
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.3.0
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.2.0
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.5.0
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Supply Chain Finance » Version: 14.2.0
cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance Process Management » Version: 14.5.0
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Cash Management » Version: 14.2
cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Cash Management » Version: 14.3
cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Cash Management » Version: 14.5
cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Brm - Elastic Charging Engine » Version: 11.3
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Brm - Elastic Charging Engine » Version: 12.0
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For Oracle
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For SAP
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
Matching versions
Xstream Project » Xstream
Versions before (<) 1.4.17
cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-29505

EPSS FAQ

89.61%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-29505

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-29505

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: security-advisories@github.com (Primary)
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2021-29505

https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E

[GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16) - Pony Mail
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

[SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f

Add description of CVE-2021-29505 and bug fix. · x-stream/xstream@24fac82 · GitHub
Patch;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210708-0007/

CVE-2021-29505 XStream Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://www.debian.org/security/2021/dsa-5004

Debian -- Security Information -- DSA-5004-1 libxstream-java
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html

[SECURITY] [DLA 2704-1] libxstream-java security update
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

[SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/

[SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022

CVEs referencing this url
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc

XStream is vulnerable to a Remote Command Execution attack · Advisory · x-stream/xstream · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-29505

Products affected by CVE-2021-29505

Exploit prediction scoring system (EPSS) score for CVE-2021-29505

CVSS scores for CVE-2021-29505

CWE ids for CVE-2021-29505

References for CVE-2021-29505