CVE-2021-21345

MEDIUM NUCLEI

Netapp Oncommand Insight < 5.15.14 - Insecure Deserialization

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-21345. PoCs published by shoucheng3. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains benchmarking code for XStream but lacks any exploit code or technical details related to CVE-2021-21345. It appears to be a placeholder or incomplete repository.

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Exploits (1)

nomisec STUB
by shoucheng3 · poc
https://github.com/shoucheng3/x-stream__xstream_CVE-2021-21345_1-4-15

The repository contains benchmarking code for XStream but lacks any exploit code or technical details related to CVE-2021-21345. It appears to be a placeholder or incomplete repository.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

XStream < 1.4.16 - Remote Code Execution
CRITICALby pwnhxl,vicrack

References (16)

Core 16
Core References
Mitigation, Third Party Advisory x_refsource_misc
https://x-stream.github.io/security.html#workaround
Release Notes, Third Party Advisory x_refsource_misc
http://x-stream.github.io/changes.html#1.4.16
Exploit, Third Party Advisory x_refsource_misc
https://x-stream.github.io/CVE-2021-21345.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210430-0002/
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-5004
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 5.8
EPSS 0.7295
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N

Details

CWE
CWE-502 CWE-78 CWE-94
Status published
Products (41)
apache/activemq 5.16.0
apache/activemq 5.16.1
apache/activemq < 5.15.14
apache/jmeter < 5.5
com.thoughtworks.xstream/xstream 0 - 1.4.16Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 33
fedoraproject/fedora 34
... and 31 more
Published Mar 23, 2021
Tracked Since Feb 18, 2026