CVE-2021-39152

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.

CVSS v3 8.5 HIGH
CVSS v2.0 6.0 MEDIUM

8.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

6.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210923-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5004	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory
https://x-stream.github.io/CVE-2021-39152.html	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:snapmanager:-:::::oracle::
	cpe:2.3:a:netapp:snapmanager:-:::::sap::

Configuration 5 (hide)

OR	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:commerce_guided_search:11.3.2:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:::::::*
	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

History

07 Nov 2023, 03:37

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/', 'name': 'FEDORA-2021-5e376c0ed9', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/', 'name': 'FEDORA-2021-d894ca87dc', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/', 'name': 'FEDORA-2021-fbad11014a', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -

05 Oct 2022, 12:22

Type	Values Removed	Values Added
First Time		Oracle webcenter Portal Oracle communications Cloud Native Core Automated Test Suite Oracle retail Xstore Point Of Service Oracle commerce Guided Search
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*

25 Jul 2022, 18:16

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

20 Apr 2022, 00:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

16 Feb 2022, 16:00

Type	Values Removed	Values Added
First Time		Oracle utilities Testing Accelerator Oracle communications Billing And Revenue Management Elastic Charging Engine Oracle utilities Framework Oracle Oracle communications Cloud Native Core Policy Oracle business Activity Monitoring Oracle communications Unified Inventory Management Oracle communications Cloud Native Core Binding Support Function
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:::::::* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::* cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*

07 Feb 2022, 16:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

30 Nov 2021, 21:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:netapp:snapmanager:-:::::oracle:: cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:a:netapp:snapmanager:-:::::sap:: cpe:2.3:o:debian:debian_linux:10.0:::::::*
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2021/dsa-5004 -~~	(DEBIAN) https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory

11 Nov 2021, 23:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - (DEBIAN) https://www.debian.org/security/2021/dsa-5004 -

10 Nov 2021, 01:18

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/', 'name': 'FEDORA-2021-5e376c0ed9', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}

06 Nov 2021, 03:06

Type	Values Removed	Values Added
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List, Third Party Advisory
CPE		cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:o:fedoraproject:fedora:33:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::*

30 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -

13 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -

07 Oct 2021, 19:12

Type	Values Removed	Values Added
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0003/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0003/ - Third Party Advisory
CPE		cpe:2.3:o:debian:debian_linux:9.0:::::::*

30 Sep 2021, 10:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html -

23 Sep 2021, 13:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0003/ -

31 Aug 2021, 14:21

Type	Values Removed	Values Added
References	~~(MISC) https://x-stream.github.io/CVE-2021-39152.html -~~	(MISC) https://x-stream.github.io/CVE-2021-39152.html - Exploit, Third Party Advisory
References	~~(CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 -~~	(CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~8.5~~	v2 : 6.0 v3 : 8.5
CPE		cpe:2.3:a:xstream_project:xstream::::::::

23 Aug 2021, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-08-23 19:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-39152

Mitre link : CVE-2021-39152

CVE.ORG link : CVE-2021-39152

JSON object : View

Products Affected

oracle

communications_cloud_native_core_policy
communications_cloud_native_core_binding_support_function
communications_unified_inventory_management
business_activity_monitoring
webcenter_portal
utilities_testing_accelerator
utilities_framework
communications_cloud_native_core_automated_test_suite
retail_xstore_point_of_service
commerce_guided_search
communications_billing_and_revenue_management_elastic_charging_engine

fedoraproject

fedora

xstream_project

xstream

netapp

snapmanager

debian

debian_linux

CWE

CWE-502

Deserialization of Untrusted Data

CWE-918

Server-Side Request Forgery (SSRF)

8.5 /10