CVE-2021-21344
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-21344
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21344.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-21344
- Aliases
- Related
- Published
- 2021-03-23T00:15:12Z
- Modified
- 2025-05-24T03:08:38.383715Z
- Downstream
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
- References
-
- https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3
- https://security.netapp.com/advisory/ntap-20210430-0002/
- https://www.debian.org/security/2021/dsa-5004
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://x-stream.github.io/CVE-2021-21344.html
- http://x-stream.github.io/changes.html#1.4.16
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://x-stream.github.io/security.html#workaround
- https://security-tracker.debian.org/tracker/CVE-2021-21344
Affected packages
Debian:11 / libxstream-java
Package
- Name
- libxstream-java
- Purl
- pkg:deb/debian/libxstream-java?arch=source
Debian:12 / libxstream-java
Package
- Name
- libxstream-java
- Purl
- pkg:deb/debian/libxstream-java?arch=source
Debian:13 / libxstream-java
Package
- Name
- libxstream-java
- Purl
- pkg:deb/debian/libxstream-java?arch=source
Git / github.com/apache/activemq
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/activemq
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/apache/jmeter
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/mysql/mysql-server
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/x-stream/xstream
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
5.*
5.2-rc4
Other
XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_14
XSTREAM_1_4_15
XSTREAM_1_4_5
XSTREAM_1_4_9
v5_2_RC1
activemq-5.*
activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.15.1
activemq-5.15.10
activemq-5.15.11
activemq-5.15.12
activemq-5.15.13
activemq-5.15.2
activemq-5.15.3
activemq-5.15.4
activemq-5.15.5
activemq-5.15.6
activemq-5.15.7
activemq-5.15.8
activemq-5.15.9
activemq-5.9.0
mysql-3.*
mysql-3.23.22-beta
mysql-3.23.24-beta
mysql-3.23.27-beta
mysql-3.23.28-gamma
mysql-3.23.29a-gamma
mysql-3.23.30-gamma
mysql-3.23.31
mysql-3.23.32
mysql-3.23.33
mysql-3.23.34
mysql-3.23.35
mysql-3.23.36
mysql-3.23.37
mysql-3.23.38
mysql-3.23.39
mysql-3.23.41
mysql-3.23.42
mysql-3.23.44
mysql-3.23.45
mysql-3.23.46
mysql-3.23.47
mysql-3.23.48
mysql-3.23.50
mysql-3.23.51
mysql-3.23.52
mysql-3.23.53
mysql-3.23.54
mysql-3.23.55
mysql-3.23.56
mysql-3.23.57
mysql-3.23.58
mysql-4.*
mysql-4.0.1
mysql-4.0.10
mysql-4.0.11
mysql-4.0.12
mysql-4.0.13
mysql-4.0.14
mysql-4.0.15
mysql-4.0.16
mysql-4.0.17
mysql-4.0.18
mysql-4.0.19
mysql-4.0.2
mysql-4.0.20
mysql-4.0.21
mysql-4.0.22
mysql-4.0.23
mysql-4.0.24
mysql-4.0.25
mysql-4.0.26
mysql-4.0.27
mysql-4.0.28
mysql-4.0.3
mysql-4.0.30
mysql-4.0.4
mysql-4.0.5
mysql-4.0.6
mysql-4.0.7
mysql-4.0.8
mysql-4.0.9
mysql-4.1.0
mysql-4.1.1
mysql-4.1.10
mysql-4.1.10a
mysql-4.1.10b
mysql-4.1.11
mysql-4.1.12
mysql-4.1.13
mysql-4.1.13a
mysql-4.1.14
mysql-4.1.15
mysql-4.1.16
mysql-4.1.18
mysql-4.1.19
mysql-4.1.2
mysql-4.1.20
mysql-4.1.21
mysql-4.1.22
mysql-4.1.23
mysql-4.1.24
mysql-4.1.3
mysql-4.1.4
mysql-4.1.5
mysql-4.1.6
mysql-4.1.7
mysql-4.1.8
mysql-4.1.9
mysql-5.*
mysql-5.0.0
mysql-5.0.1
mysql-5.0.10
mysql-5.0.10a
mysql-5.0.11
mysql-5.0.12
mysql-5.0.13
mysql-5.0.14
mysql-5.0.15
mysql-5.0.16
mysql-5.0.16a
mysql-5.0.17
mysql-5.0.17b
mysql-5.0.18
mysql-5.0.19
mysql-5.0.19a
mysql-5.0.2
mysql-5.0.2-alpha
mysql-5.0.20
mysql-5.0.20a
mysql-5.0.21
mysql-5.0.22
mysql-5.0.23
mysql-5.0.24
mysql-5.0.24a
mysql-5.0.25
mysql-5.0.26
mysql-5.0.27
mysql-5.0.28
mysql-5.0.3
mysql-5.0.30
mysql-5.0.32
mysql-5.0.33
mysql-5.0.34
mysql-5.0.36
mysql-5.0.37
mysql-5.0.38
mysql-5.0.4
mysql-5.0.40
mysql-5.0.41
mysql-5.0.42
mysql-5.0.44
mysql-5.0.45
mysql-5.0.46
mysql-5.0.48
mysql-5.0.5
mysql-5.0.50
mysql-5.0.51
mysql-5.0.51a
mysql-5.0.52
mysql-5.0.54
mysql-5.0.54a
mysql-5.0.56
mysql-5.0.58
mysql-5.0.6
mysql-5.0.60
mysql-5.0.60sp1
mysql-5.0.62
mysql-5.0.64
mysql-5.0.66
mysql-5.0.66a
mysql-5.0.66sp1
mysql-5.0.67
mysql-5.0.68
mysql-5.0.7
mysql-5.0.70
mysql-5.0.72
mysql-5.0.72sp1
mysql-5.0.74
mysql-5.0.74sp1
mysql-5.0.75
mysql-5.0.76
mysql-5.0.77
mysql-5.0.78
mysql-5.0.79
mysql-5.0.8
mysql-5.0.80
mysql-5.0.81
mysql-5.0.82
mysql-5.0.82sp1
mysql-5.0.83
mysql-5.0.84
mysql-5.0.84sp1
mysql-5.0.85
mysql-5.0.86
mysql-5.0.87
mysql-5.0.88
mysql-5.0.9
mysql-5.1.11
mysql-5.1.12
mysql-5.1.13
mysql-5.1.14
mysql-5.1.15
mysql-5.1.16
mysql-5.1.17
mysql-5.1.18
mysql-5.1.18-ndb-6.2.1
mysql-5.1.19
mysql-5.1.20
mysql-5.1.20-beta
mysql-5.1.21
mysql-5.1.22
mysql-5.1.23
mysql-5.1.24
mysql-5.1.25
mysql-5.1.26
mysql-5.1.28
mysql-5.1.29
mysql-5.1.3
mysql-5.1.30
mysql-5.1.31
mysql-5.1.31sp1
mysql-5.1.32
mysql-5.1.33
mysql-5.1.34
mysql-5.1.34sp1
mysql-5.1.35
mysql-5.1.36
mysql-5.1.37
mysql-5.1.37sp1
mysql-5.1.38
mysql-5.1.39
mysql-5.1.4
mysql-5.1.40
mysql-5.1.5
mysql-5.1.5-for-windows
mysql-5.1.6
mysql-5.1.7
mysql-5.1.9
mysql-5.4.1
mysql-5.4.2
mysql-5.4.3
rel/v5.*
rel/v5.2
rel/v5.2.1
rel/v5.3
rel/v5.4
rel/v5.4.1
v5.*
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2.1-rc1
v5.2.1-rc4
v5.2.1-rc5
v5.3-rc1
v5.4-rc1
v5.4-rc2
v5.4.1-rc1
v5.4.1-rc2
v5.5-rc1
v5.5-rc2