CVE-2021-39144

HIGH KEV NUCLEI

Xstream < 1.4.18 - Missing Authentication

Title source: rule

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Exploits (2)

inthewild

poc

https://github.com/b3wt/cve-2021-39144-xstream-rce

View on inthewild

metasploit WORKING POC EXCELLENT

by h00die-gr3y, Sina Kheirkhah, Steven Seeley · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb

View Code ZIP pw:eip

Nuclei Templates (1)

XStream 1.4.18 - Remote Code Execution

HIGHby pwnhxl,vicrack

References (13)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html

[Vendor Advisory] https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html

[Broken Link, Mailing List, Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

[Broken Link, Mailing List, Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/

[Broken Link, Mailing List, Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210923-0003/

[Third Party Advisory] https://www.debian.org/security/2021/dsa-5004

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Exploit, Vendor Advisory] https://x-stream.github.io/CVE-2021-39144.html

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144

Scores

CVSS v3 8.5

EPSS 0.9425

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CISA KEV 2023-03-10

VulnCheck KEV 2023-03-08

InTheWild.io 2023-03-06

ENISA EUVD EUVD-2021-1771

CWE

CWE-502 CWE-306 CWE-94

Status published

Products (36)

com.thoughtworks.xstream/xstream 0 - 1.4.18Maven

debian/debian_linux 9.0

debian/debian_linux 10.0

debian/debian_linux 11.0

fedoraproject/fedora 33

fedoraproject/fedora 34

fedoraproject/fedora 35

netapp/snapmanager (2 CPE variants)

oracle/business_activity_monitoring 12.2.1.4.0

oracle/commerce_guided_search 11.3.2

... and 26 more

Published Aug 23, 2021

KEV Added Mar 10, 2023

Tracked Since Feb 18, 2026