CVE-2021-21341
- Source
- https://cve.org/CVERecord?id=CVE-2021-21341
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21341.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-21341
- Aliases
- Downstream
- Related
- Published
- 2021-03-23T00:15:12.380Z
- Modified
- 2026-04-02T06:46:35.822746Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
- References
-
- https://x-stream.github.io/security.html#workaround
- http://x-stream.github.io/changes.html#1.4.16
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- https://www.debian.org/security/2021/dsa-5004
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://security.netapp.com/advisory/ntap-20210430-0002/
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://x-stream.github.io/CVE-2021-21341.html
Affected packages
Git / github.com/apache/activemq
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/activemq
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "5.15.14" }, { "introduced": "0" }, { "last_affected": "5.16.0" }, { "introduced": "0" }, { "last_affected": "5.16.1" }, { "introduced": "0" }, { "fixed": "5.5" } ] }
Affected versions
Other
XSTREAM_0_2
XSTREAM_0_3
XSTREAM_0_4
XSTREAM_0_5
XSTREAM_0_6
XSTREAM_0_6_RC1
XSTREAM_1_0_1
XSTREAM_1_0_2
XSTREAM_1_0_RC1
XSTREAM_1_1
XSTREAM_1_1_1
XSTREAM_1_1_2
XSTREAM_1_1_3
XSTREAM_1_2
XSTREAM_1_2_1
XSTREAM_1_2_2
XSTREAM_1_3
XSTREAM_1_3_1
XSTREAM_1_4
XSTREAM_1_4_1
XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_14
XSTREAM_1_4_15
XSTREAM_1_4_2
XSTREAM_1_4_3
XSTREAM_1_4_4
XSTREAM_1_4_5
XSTREAM_1_4_6
XSTREAM_1_4_7
XSTREAM_1_4_8
XSTREAM_1_4_9
activemq-4.*
activemq-4.0
activemq-4.0.1
activemq-4.0.2
activemq-4.1.0
activemq-4.1.1
activemq-4.1.2
activemq-5.*
activemq-5.0.0
activemq-5.1.0
activemq-5.10.0
activemq-5.10.1
activemq-5.10.2
activemq-5.11.0
activemq-5.11.1
activemq-5.11.2
activemq-5.11.3
activemq-5.11.4
activemq-5.12.0
activemq-5.12.1
activemq-5.12.2
activemq-5.12.3
activemq-5.13.0
activemq-5.13.1
activemq-5.13.2
activemq-5.13.3
activemq-5.13.4
activemq-5.13.5
activemq-5.14.0
activemq-5.14.1
activemq-5.14.2
activemq-5.14.3
activemq-5.14.4
activemq-5.14.5
activemq-5.15.0
activemq-5.15.1
activemq-5.15.10
activemq-5.15.11
activemq-5.15.12
activemq-5.15.13
activemq-5.15.2
activemq-5.15.3
activemq-5.15.4
activemq-5.15.5
activemq-5.15.6
activemq-5.15.7
activemq-5.15.8
activemq-5.15.9
activemq-5.16.0
activemq-5.2.0
activemq-5.3.0
activemq-5.3.1
activemq-5.4.0
activemq-5.4.1
activemq-5.4.2
activemq-5.4.3
activemq-5.6.0
activemq-5.7.0
activemq-5.8.0
activemq-5.9.0
activemq-5.9.1
activemq-parent-5.*
activemq-parent-5.2
activemq-parent-5.3.2
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "35"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.12.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.12.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.1.1.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "17.0.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.0.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.1.1.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21341.json"