XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
07 Nov 2023, 03:37
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
05 Oct 2022, 02:37
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* |
|
First Time |
Oracle webcenter Portal
Oracle communications Cloud Native Core Automated Test Suite Oracle retail Xstore Point Of Service Oracle commerce Guided Search |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2022, 15:39
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle utilities Testing Accelerator
Oracle communications Billing And Revenue Management Elastic Charging Engine Oracle utilities Framework Oracle Oracle communications Cloud Native Core Policy Oracle business Activity Monitoring Oracle communications Unified Inventory Management Oracle communications Cloud Native Core Binding Support Function |
|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* |
07 Feb 2022, 16:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Nov 2021, 21:38
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:* cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:* cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
11 Nov 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Nov 2021, 01:18
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Oct 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Oct 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Oct 2021, 19:09
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0003/ - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
30 Sep 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Sep 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 Aug 2021, 20:43
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
References | (MISC) https://x-stream.github.io/CVE-2021-39139.html - Vendor Advisory | |
References | (CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44 - Third Party Advisory |
23 Aug 2021, 18:55
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-08-23 18:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-39139
Mitre link : CVE-2021-39139
CVE.ORG link : CVE-2021-39139
JSON object : View
Products Affected
oracle
- communications_billing_and_revenue_management_elastic_charging_engine
- communications_cloud_native_core_binding_support_function
- webcenter_portal
- communications_cloud_native_core_automated_test_suite
- business_activity_monitoring
- retail_xstore_point_of_service
- utilities_framework
- utilities_testing_accelerator
- communications_cloud_native_core_policy
- communications_unified_inventory_management
- commerce_guided_search
debian
- debian_linux
fedoraproject
- fedora
xstream_project
- xstream
netapp
- snapmanager