XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
07 Nov 2023, 03:37
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
05 Oct 2022, 12:22
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle webcenter Portal
Oracle communications Cloud Native Core Automated Test Suite Oracle retail Xstore Point Of Service Oracle commerce Guided Search |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* |
25 Jul 2022, 18:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2022, 16:00
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle utilities Testing Accelerator
Oracle communications Billing And Revenue Management Elastic Charging Engine Oracle utilities Framework Oracle Oracle communications Cloud Native Core Policy Oracle business Activity Monitoring Oracle communications Unified Inventory Management Oracle communications Cloud Native Core Binding Support Function |
|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* |
07 Feb 2022, 16:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Nov 2021, 21:56
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory |
11 Nov 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Nov 2021, 01:18
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Nov 2021, 03:06
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
30 Oct 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Oct 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Oct 2021, 19:12
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0003/ - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
30 Sep 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Sep 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Aug 2021, 14:21
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://x-stream.github.io/CVE-2021-39152.html - Exploit, Third Party Advisory | |
References | (CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 6.0
v3 : 8.5 |
CPE | cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* |
23 Aug 2021, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-08-23 19:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-39152
Mitre link : CVE-2021-39152
CVE.ORG link : CVE-2021-39152
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_policy
- communications_cloud_native_core_binding_support_function
- communications_unified_inventory_management
- business_activity_monitoring
- webcenter_portal
- utilities_testing_accelerator
- utilities_framework
- communications_cloud_native_core_automated_test_suite
- retail_xstore_point_of_service
- commerce_guided_search
- communications_billing_and_revenue_management_elastic_charging_engine
fedoraproject
- fedora
xstream_project
- xstream
netapp
- snapmanager
debian
- debian_linux