XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
07 Nov 2023, 03:37
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
26 Jun 2023, 19:17
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-306 | |
References | (CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh - Vendor Advisory |
20 Jan 2023, 14:19
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry |
15 Nov 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
05 Oct 2022, 02:38
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* |
|
First Time |
Oracle webcenter Portal
Oracle communications Cloud Native Core Automated Test Suite Oracle retail Xstore Point Of Service Oracle commerce Guided Search |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2022, 15:41
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* |
|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
First Time |
Oracle utilities Testing Accelerator
Oracle communications Billing And Revenue Management Elastic Charging Engine Oracle utilities Framework Oracle Oracle communications Cloud Native Core Policy Oracle business Activity Monitoring Oracle communications Unified Inventory Management Oracle communications Cloud Native Core Binding Support Function |
07 Feb 2022, 16:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Nov 2021, 21:41
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:* cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:* cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
11 Nov 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Nov 2021, 01:18
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Oct 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Oct 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Oct 2021, 19:10
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0003/ - Third Party Advisory |
30 Sep 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Sep 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Sep 2021, 14:47
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.0
v3 : 8.5 |
27 Aug 2021, 15:34
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh - Third Party Advisory | |
References | (MISC) https://x-stream.github.io/CVE-2021-39144.html - Exploit, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
CPE | cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* |
23 Aug 2021, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-08-23 18:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-39144
Mitre link : CVE-2021-39144
CVE.ORG link : CVE-2021-39144
JSON object : View
Products Affected
oracle
- communications_billing_and_revenue_management_elastic_charging_engine
- retail_xstore_point_of_service
- communications_cloud_native_core_binding_support_function
- communications_cloud_native_core_policy
- utilities_framework
- utilities_testing_accelerator
- commerce_guided_search
- communications_unified_inventory_management
- webcenter_portal
- communications_cloud_native_core_automated_test_suite
- business_activity_monitoring
netapp
- snapmanager
xstream_project
- xstream
debian
- debian_linux
fedoraproject
- fedora