CVE-2021-21349

MEDIUM

Netapp Oncommand Insight < 5.15.14 - SSRF

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-21349. PoCs published by s-index.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2021-21349, an SSRF vulnerability in XStream. The provided Java code demonstrates the vulnerability by unmarshalling a crafted XML payload that triggers an SSRF request to an internal server.

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Exploits (1)

nomisec WORKING POC 1 stars
by s-index · poc
https://github.com/s-index/CVE-2021-21349

This repository contains a functional exploit PoC for CVE-2021-21349, an SSRF vulnerability in XStream. The provided Java code demonstrates the vulnerability by unmarshalling a crafted XML payload that triggers an SSRF request to an internal server.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: XStream versions up to and including 1.4.15
No auth needed
Prerequisites: Docker environment · Java runtime · HTTP server to host the internal file
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (15)

Core 15
Core References
Mitigation, Third Party Advisory x_refsource_misc
https://x-stream.github.io/security.html#workaround
Release Notes, Third Party Advisory x_refsource_misc
http://x-stream.github.io/changes.html#1.4.16
Exploit, Third Party Advisory x_refsource_misc
https://x-stream.github.io/CVE-2021-21349.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210430-0002/
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-5004
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 6.1
EPSS 0.4775
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Details

CWE
CWE-502 CWE-918
Status published
Products (43)
apache/activemq 5.16.0
apache/activemq 5.16.1
apache/activemq < 5.15.14
apache/jmeter < 5.5
com.thoughtworks.xstream/xstream 0 - 1.4.16Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 33
fedoraproject/fedora 34
... and 33 more
Published Mar 23, 2021
Tracked Since Feb 18, 2026