XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Published 2021-08-23 18:15:12
Updated 2023-06-26 19:17:52
Source GitHub, Inc.
View at NVD,   CVE.org

CVE-2021-39144 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
XStream Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cl
https://www.vmware.com/security/advisories/VMSA-2022-0027.html, https://x-stream.github.io/CVE-2021-39144.html
Added on 2023-03-10 Action due date 2023-03-31

Exploit prediction scoring system (EPSS) score for CVE-2021-39144

Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2021-39144

  • VMware NSX Manager XStream unauthenticated RCE
    Disclosure Date: 2022-10-25
    First seen: 2022-12-23
    VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpo

CVSS scores for CVE-2021-39144

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
GitHub, Inc.

CWE ids for CVE-2021-39144

  • The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
    Assigned by: security-advisories@github.com (Secondary)
  • The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
    Assigned by: nvd@nist.gov (Primary)
  • The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
    Assigned by:
    • nvd@nist.gov (Primary)
    • security-advisories@github.com (Secondary)

References for CVE-2021-39144

Products affected by CVE-2021-39144

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!