CVE-2021-21341

HIGH

NetApp OnCommand Insight - Denial of Service via XStream Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-21341. PoCs published by s-index.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2021-21341, a Denial of Service (DoS) vulnerability in XStream. The exploit leverages a manipulated ByteArrayInputStream to trigger an endless loop during deserialization, demonstrating the vulnerability in versions up to 1.4.15.

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Exploits (1)

nomisec WORKING POC
by s-index · poc
https://github.com/s-index/CVE-2021-21341

This repository contains a functional proof-of-concept exploit for CVE-2021-21341, a Denial of Service (DoS) vulnerability in XStream. The exploit leverages a manipulated ByteArrayInputStream to trigger an endless loop during deserialization, demonstrating the vulnerability in versions up to 1.4.15.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: XStream versions up to and including 1.4.15
No auth needed
Prerequisites: XStream library in the classpath · Ability to send crafted XML input to the target application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (15)

Core 15
Core References
Mitigation, Third Party Advisory x_refsource_misc
https://x-stream.github.io/security.html#workaround
Release Notes, Third Party Advisory x_refsource_misc
http://x-stream.github.io/changes.html#1.4.16
Exploit, Third Party Advisory x_refsource_misc
https://x-stream.github.io/CVE-2021-21341.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210430-0002/
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-5004
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 7.5
EPSS 0.7788
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400 CWE-502
Status published
Products (35)
apache/activemq 5.16.0
apache/activemq 5.16.1
apache/activemq < 5.15.14
apache/jmeter < 5.5
com.thoughtworks.xstream/xstream 0 - 1.4.16Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 33
fedoraproject/fedora 34
... and 25 more
Published Mar 23, 2021
Tracked Since Feb 18, 2026