CVE-2021-29505

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
References
Link Resource
https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f Patch Third Party Advisory
https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc Third Party Advisory
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
https://security.netapp.com/advisory/ntap-20210708-0007
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Mailing List Third Party Advisory
https://x-stream.github.io/CVE-2021-29505.html
https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f Patch Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc Third Party Advisory
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E Issue Tracking Mailing List
https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List
https://security.netapp.com/advisory/ntap-20210708-0007/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*

Configuration 5 (hide)

OR cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

History

30 May 2025, 00:15

Type Values Removed Values Added
References
  • () https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227 -
  • () https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E -
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP -
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7 -
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB -
  • () https://security.netapp.com/advisory/ntap-20210708-0007 -
  • () https://x-stream.github.io/CVE-2021-29505.html -
References () https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E - Mailing List, Issue Tracking () https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E - Issue Tracking, Mailing List

23 May 2025, 16:53

Type Values Removed Values Added
References () https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E - () https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E - Mailing List, Issue Tracking
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List
References () https://www.oracle.com/security-alerts/cpujul2022.html - () https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory
CPE cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*
cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*
First Time Xstream xstream
Xstream
Oracle retail Customer Insights

21 Nov 2024, 06:01

Type Values Removed Values Added
CVSS v2 : 6.5
v3 : 8.8
v2 : 6.5
v3 : 7.5
References () https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f - Patch, Third Party Advisory () https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f - Patch, Third Party Advisory
References () https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc - Third Party Advisory () https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc - Third Party Advisory
References () https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E - () https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E -
References () https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ -
References () https://security.netapp.com/advisory/ntap-20210708-0007/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20210708-0007/ - Third Party Advisory
References () https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory () https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory
References () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References () https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
References () https://www.oracle.com/security-alerts/cpujul2022.html - () https://www.oracle.com/security-alerts/cpujul2022.html -
References () https://www.oracle.com/security-alerts/cpuoct2021.html - Mailing List, Third Party Advisory () https://www.oracle.com/security-alerts/cpuoct2021.html - Mailing List, Third Party Advisory

25 Jul 2022, 18:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

12 May 2022, 14:06

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

20 Apr 2022, 00:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

01 Mar 2022, 15:27

Type Values Removed Values Added
References (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
CPE cpe:2.3:a:oracle:*:14.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*

07 Feb 2022, 16:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

30 Nov 2021, 22:07

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:*:14.3.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List, Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html - (MLIST) https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2021/dsa-5004 - (DEBIAN) https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210708-0007/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210708-0007/ - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List, Third Party Advisory

11 Nov 2021, 23:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2021/dsa-5004 -

30 Oct 2021, 02:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -

20 Oct 2021, 11:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

13 Oct 2021, 02:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ -
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210708-0007/ -

08 Jul 2021, 05:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html -

09 Jun 2021, 19:06

Type Values Removed Values Added
CPE cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
References (MLIST) https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E - Mailing List, Third Party Advisory
References (CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc - (CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc - Third Party Advisory
References (MISC) https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f - (MISC) https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 6.5
v3 : 8.8

07 Jun 2021, 14:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E -

07 Jun 2021, 12:15

Type Values Removed Values Added
Summary ### Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-xxxxx](https://x-stream.github.io/CVE-2021-xxxxx.html). ### Credits V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Email us at [XStream Google Group](https://groups.google.com/group/xstream-user) XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
References
  • (MISC) https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f -

28 May 2021, 22:15

Type Values Removed Values Added
Summary ### Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-xxxxx](https://x-stream.github.io/CVE-2021-xxxxx.html). ### Credits V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Email us at [XStream Google Group](https://groups.google.com/group/xstream-user) ### Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-xxxxx](https://x-stream.github.io/CVE-2021-xxxxx.html). ### Credits V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Email us at [XStream Google Group](https://groups.google.com/group/xstream-user)
CWE CWE-94
CWE-502

28 May 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-05-28 21:15

Updated : 2025-05-30 00:15


NVD link : CVE-2021-29505

Mitre link : CVE-2021-29505

CVE.ORG link : CVE-2021-29505


JSON object : View

Products Affected

xstream

  • xstream

oracle

  • banking_cash_management
  • business_activity_monitoring
  • banking_supply_chain_finance
  • webcenter_portal
  • webcenter_sites
  • communications_unified_inventory_management
  • retail_customer_insights
  • retail_xstore_point_of_service
  • communications_brm_-_elastic_charging_engine
  • banking_trade_finance_process_management
  • enterprise_manager_ops_center
  • banking_credit_facilities_process_management
  • banking_corporate_lending_process_management

debian

  • debian_linux

netapp

  • snapmanager

fedoraproject

  • fedora
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-502

Deserialization of Untrusted Data