Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
References (11)
Core 11
Core References
Third Party Advisory x_refsource_confirm
https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
Vendor Advisory x_refsource_misc
https://x-stream.github.io/CVE-2021-39139.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
Mailing List vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
Mailing List vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
Mailing List vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-5004
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210923-0003/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
8.5
EPSS
0.0084
EPSS Percentile
74.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-502
CWE-434
Status
published
Products (36)
com.thoughtworks.xstream/xstream
0 - 1.4.18Maven
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
33
fedoraproject/fedora
34
fedoraproject/fedora
35
netapp/snapmanager
(2 CPE variants)
oracle/business_activity_monitoring
12.2.1.4.0
oracle/commerce_guided_search
11.3.2
... and 26 more
Published
Aug 23, 2021
Tracked Since
Feb 18, 2026