CVE-2021-21343

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf	Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/	Third Party Advisory Mailing List
https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5004	Third Party Advisory Mailing List
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://x-stream.github.io/CVE-2021-21343.html	Exploit Third Party Advisory
https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory
http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf	Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E	Third Party Advisory Issue Tracking Mailing List
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/	Third Party Advisory Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/	Third Party Advisory Mailing List
https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5004	Third Party Advisory Mailing List
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://x-stream.github.io/CVE-2021-21343.html	Exploit Third Party Advisory
https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:apache:activemq::::::::
	cpe:2.3:a:apache:activemq:5.16.0:::::::*
	cpe:2.3:a:apache:activemq:5.16.1:::::::*
	cpe:2.3:a:apache:jmeter::::::::

Configuration 3 (hide)

cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 6 (hide)

OR	cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
	cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

History

23 May 2025, 17:40

Type	Values Removed	Values Added
First Time		Apache Apache activemq Xstream Apache jmeter Xstream xstream Netapp Netapp oncommand Insight
CWE		NVD-CWE-noinfo
CPE	cpe:2.3:a:xstream_project:xstream::::::::	cpe:2.3:a:xstream:xstream:::::::: cpe:2.3:a:apache:activemq:5.16.1:::::::* cpe:2.3:a:netapp:oncommand_insight:-:::::::* cpe:2.3:a:apache:jmeter:::::::: cpe:2.3:a:apache:activemq:5.16.0:::::::* cpe:2.3:a:apache:activemq::::::::
References	~~() https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E -~~	() https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E - Third Party Advisory, Issue Tracking, Mailing List
References	~~() https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E -~~	() https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E - Third Party Advisory, Issue Tracking, Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Third Party Advisory, Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Third Party Advisory, Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Third Party Advisory, Mailing List
References	~~() https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory~~	() https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory, Mailing List

Information

Published : 2021-03-23 00:15

Updated : 2025-05-23 17:40

NVD link : CVE-2021-21343

Mitre link : CVE-2021-21343

CVE.ORG link : CVE-2021-21343

JSON object : View

Products Affected

apache

jmeter
activemq

oracle

retail_xstore_point_of_service
communications_unified_inventory_management
banking_enterprise_default_management
business_activity_monitoring
banking_platform
communications_billing_and_revenue_management_elastic_charging_engine
webcenter_portal
banking_virtual_account_management
communications_policy_management

netapp

oncommand_insight

fedoraproject

fedora

xstream

xstream

debian

debian_linux

CWE

CWE-73

External Control of File Name or Path

CWE-502

Deserialization of Untrusted Data

NVD-CWE-noinfo

5.3 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2021-21343

5.3^/10

5.0^/10

Attach tags to `CVE-2021-21343`