CVE-2021-21344

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3 5.3 MEDIUM
CVSS v2.0 7.5 HIGH

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3	Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/	Third Party Advisory Mailing List
https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5004	Third Party Advisory Mailing List
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://x-stream.github.io/CVE-2021-21344.html	Exploit Third Party Advisory
https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory
http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3	Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/	Third Party Advisory Mailing List
https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5004	Third Party Advisory Mailing List
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://x-stream.github.io/CVE-2021-21344.html	Exploit Third Party Advisory
https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:apache:activemq::::::::
	cpe:2.3:a:apache:activemq:5.16.0:::::::*
	cpe:2.3:a:apache:activemq:5.16.1:::::::*
	cpe:2.3:a:apache:jmeter::::::::

Configuration 3 (hide)

cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 6 (hide)

OR	cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
	cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:mysql_server::::::::
	cpe:2.3:a:oracle:mysql_server::::::::
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

History

23 May 2025, 17:40

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~() https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E -~~	() https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E - Third Party Advisory, Issue Tracking, Mailing List
References	~~() https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E -~~	() https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E - Third Party Advisory, Issue Tracking, Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Third Party Advisory, Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Third Party Advisory, Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Third Party Advisory, Mailing List
References	~~() https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory~~	() https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory, Mailing List
First Time		Apache activemq Apache jmeter Netapp Xstream Apache Xstream xstream Netapp oncommand Insight
CPE	cpe:2.3:a:xstream_project:xstream::::::::	cpe:2.3:a:apache:activemq:5.16.1:::::::* cpe:2.3:a:apache:activemq:::::::: cpe:2.3:a:xstream:xstream:::::::: cpe:2.3:a:netapp:oncommand_insight:-:::::::* cpe:2.3:a:apache:activemq:5.16.0:::::::* cpe:2.3:a:apache:jmeter::::::::

21 Nov 2024, 05:48

Information

Published : 2021-03-23 00:15

Updated : 2025-05-23 17:40

NVD link : CVE-2021-21344

Mitre link : CVE-2021-21344

CVE.ORG link : CVE-2021-21344

JSON object : View

Products Affected

oracle

communications_billing_and_revenue_management_elastic_charging_engine
communications_unified_inventory_management
webcenter_portal
banking_platform
retail_xstore_point_of_service
business_activity_monitoring
banking_virtual_account_management
banking_enterprise_default_management
communications_policy_management
mysql_server

apache

jmeter
activemq

fedoraproject

fedora

debian

debian_linux

xstream

xstream

netapp

oncommand_insight

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-502

Deserialization of Untrusted Data

NVD-CWE-noinfo

5.3 /10