XStream Multiple high-risk Vulnerability Alert
On March 13, 2021, Xstream released a security update to fix many security vulnerabilities. The POC has been published.
| CVE | Description |
|---|---|
| 2021 | |
| CVE-2021-21341 | XStream can cause a Denial of Service. |
| CVE-2021-21342 | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host. |
| CVE-2021-21343 | XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights. |
| CVE-2021-21344 | XStream is vulnerable to an Arbitrary Code Execution attack. |
| CVE-2021-21345 | XStream is vulnerable to a Remote Command Execution attack. |
| CVE-2021-21346 | XStream is vulnerable to an Arbitrary Code Execution attack. |
| CVE-2021-21347 | XStream is vulnerable to an Arbitrary Code Execution attack. |
| CVE-2021-21348 | XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos). |
| CVE-2021-21349 | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the localhost. |
| CVE-2021-21350 | XStream is vulnerable to an Arbitrary Code Execution attack. |
| CVE-2021-21351 | XStream is vulnerable to an Arbitrary Code Execution attack. |
Affected version
- XStream <= 1.4.15
Solution
It is recommended to upgrade to the latest XStream version and follow the official mitigation measures to repair.
