CVE-2021-21341

Source
https://cve.org/CVERecord?id=CVE-2021-21341
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21341.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21341
Aliases
Downstream
Related
Published
2021-03-23T00:15:12.380Z
Modified
2026-07-08T06:26:55.328902876Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Database specific
{
    "unresolved_ranges": [
        {
            "vendor_product": "debian:debian_linux",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "9.0"
                },
                {
                    "last_affected": "9.0"
                },
                {
                    "introduced": "10.0"
                },
                {
                    "last_affected": "10.0"
                },
                {
                    "introduced": "11.0"
                },
                {
                    "last_affected": "11.0"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"
            ],
            "vendor_product": "fedoraproject:fedora",
            "extracted_events": [
                {
                    "introduced": "33"
                },
                {
                    "last_affected": "33"
                },
                {
                    "introduced": "34"
                },
                {
                    "last_affected": "34"
                },
                {
                    "introduced": "35"
                },
                {
                    "last_affected": "35"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "vendor_product": "oracle:banking_enterprise_default_management",
            "cpes": [
                "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "2.10.0"
                },
                {
                    "last_affected": "2.10.0"
                },
                {
                    "introduced": "2.12.0"
                },
                {
                    "last_affected": "2.12.0"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:banking_platform",
            "extracted_events": [
                {
                    "introduced": "2.4.0"
                },
                {
                    "last_affected": "2.4.0"
                },
                {
                    "introduced": "2.7.1"
                },
                {
                    "last_affected": "2.7.1"
                },
                {
                    "introduced": "2.9.0"
                },
                {
                    "last_affected": "2.9.0"
                },
                {
                    "introduced": "2.12.0"
                },
                {
                    "last_affected": "2.12.0"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:business_activity_monitoring",
            "extracted_events": [
                {
                    "introduced": "11.1.1.9.0"
                },
                {
                    "last_affected": "11.1.1.9.0"
                },
                {
                    "introduced": "12.2.1.3.0"
                },
                {
                    "last_affected": "12.2.1.3.0"
                },
                {
                    "introduced": "12.2.1.4.0"
                },
                {
                    "last_affected": "12.2.1.4.0"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "vendor_product": "oracle:communications_billing_and_revenue_management_elastic_charging_engine",
            "cpes": [
                "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "introduced": "12.0.0.3.0"
                },
                {
                    "last_affected": "12.0.0.3.0"
                }
            ]
        },
        {
            "vendor_product": "oracle:communications_unified_inventory_management",
            "cpes": [
                "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "7.3.2"
                },
                {
                    "last_affected": "7.3.2"
                },
                {
                    "introduced": "7.3.4"
                },
                {
                    "last_affected": "7.3.4"
                },
                {
                    "introduced": "7.3.5"
                },
                {
                    "last_affected": "7.3.5"
                },
                {
                    "introduced": "7.4.0"
                },
                {
                    "last_affected": "7.4.0"
                },
                {
                    "introduced": "7.4.1"
                },
                {
                    "last_affected": "7.4.1"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "vendor_product": "oracle:retail_xstore_point_of_service",
            "cpes": [
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "introduced": "16.0.6"
                },
                {
                    "last_affected": "16.0.6"
                },
                {
                    "introduced": "17.0.4"
                },
                {
                    "last_affected": "17.0.4"
                },
                {
                    "introduced": "18.0.3"
                },
                {
                    "last_affected": "18.0.3"
                },
                {
                    "introduced": "19.0.2"
                },
                {
                    "last_affected": "19.0.2"
                }
            ]
        },
        {
            "vendor_product": "oracle:webcenter_portal",
            "cpes": [
                "cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "introduced": "11.1.1.9.0"
                },
                {
                    "last_affected": "11.1.1.9.0"
                },
                {
                    "introduced": "12.2.1.3.0"
                },
                {
                    "last_affected": "12.2.1.3.0"
                },
                {
                    "introduced": "12.2.1.4.0"
                },
                {
                    "last_affected": "12.2.1.4.0"
                }
            ]
        }
    ]
}
References

Affected packages

Git
github.com/apache/activemq

Affected ranges

Type
GIT
Repo
https://github.com/apache/activemq
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Last affected
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:activemq:5.16.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:activemq:5.16.1:*:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.15.14"
        },
        {
            "introduced": "5.16.0"
        },
        {
            "last_affected": "5.16.0"
        },
        {
            "introduced": "5.16.1"
        },
        {
            "last_affected": "5.16.1"
        }
    ]
}

Affected versions

5.*
5.16.0
5.16.1
activemq-5.*
activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.15.1
activemq-5.15.10
activemq-5.15.11
activemq-5.15.12
activemq-5.15.13
activemq-5.15.2
activemq-5.15.3
activemq-5.15.4
activemq-5.15.5
activemq-5.15.6
activemq-5.15.7
activemq-5.15.8
activemq-5.15.9
activemq-5.16.0
activemq-5.16.1
activemq-5.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21341.json"
github.com/apache/jmeter

Affected ranges

Type
GIT
Repo
https://github.com/apache/jmeter
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:apache:jmeter:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.5"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

5.*
5.2-rc4
rel/v5.*
rel/v5.2
rel/v5.2.1
rel/v5.3
rel/v5.4
rel/v5.4.1
v5.*
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2.1-rc1
v5.2.1-rc4
v5.2.1-rc5
v5.3-rc1
v5.4-rc1
v5.4-rc2
v5.4.1-rc1
v5.4.1-rc2
v5.5-rc1
v5.5-rc2
Other
v5_2_RC1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21341.json"
github.com/x-stream/xstream

Affected ranges

Type
GIT
Repo
https://github.com/x-stream/xstream
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.16"
        }
    ]
}

Affected versions

Other
XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_14
XSTREAM_1_4_15
XSTREAM_1_4_5
XSTREAM_1_4_9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21341.json"