CVE-2021-21345
- Source
- https://cve.org/CVERecord?id=CVE-2021-21345
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21345.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-21345
- Aliases
- Downstream
- Related
- Published
- 2021-03-23T00:15:12.787Z
- Modified
- 2026-04-02T06:46:38.839659Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- http://x-stream.github.io/changes.html#1.4.16
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- https://www.debian.org/security/2021/dsa-5004
- https://x-stream.github.io/security.html#workaround
- https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4
- https://security.netapp.com/advisory/ntap-20210430-0002/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://x-stream.github.io/CVE-2021-21345.html
Affected packages
Git / github.com/apache/activemq
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/activemq
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "5.15.14" }, { "introduced": "0" }, { "last_affected": "5.16.0" }, { "introduced": "0" }, { "last_affected": "5.16.1" } ] }
Affected versions
5.*
5.2-rc4
Other
XSTREAM_0_2
XSTREAM_0_3
XSTREAM_0_4
XSTREAM_0_5
XSTREAM_0_6
XSTREAM_0_6_RC1
XSTREAM_1_0_1
XSTREAM_1_0_2
XSTREAM_1_0_RC1
XSTREAM_1_1
XSTREAM_1_1_1
XSTREAM_1_1_2
XSTREAM_1_1_3
XSTREAM_1_2
XSTREAM_1_2_1
XSTREAM_1_2_2
XSTREAM_1_3
XSTREAM_1_3_1
XSTREAM_1_4
XSTREAM_1_4_1
XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_14
XSTREAM_1_4_15
XSTREAM_1_4_2
XSTREAM_1_4_3
XSTREAM_1_4_4
XSTREAM_1_4_5
XSTREAM_1_4_6
XSTREAM_1_4_7
XSTREAM_1_4_8
XSTREAM_1_4_9
v1_7_1
v1_7_1a
v1_7_3
v1_8
v1_8_1
v1_9
v1_9_1
v2_10
v2_10_RC1
v2_10_RC2
v2_11
v2_11_RC2
v2_12
v2_12_RC1
v2_12_RC2
v2_13
v2_13_RC1
v2_13_RC2
v2_1_1
v2_2
v2_3
v2_3_1
v2_3_2
v2_3_3
v2_3_4
v2_4
v2_5
v2_5_1
v2_6
v2_7
v2_7_RC3
v2_8
v2_8_RC1
v2_9
v2_9_RC3
v3_0
v3_1
v3_2
v3_3
v4_0
v5_0
v5_1
v5_1_1
v5_2_0_RC1
v5_2_RC1
activemq-4.*
activemq-4.0
activemq-4.0.1
activemq-4.0.2
activemq-4.1.0
activemq-4.1.1
activemq-4.1.2
activemq-5.*
activemq-5.0.0
activemq-5.1.0
activemq-5.10.0
activemq-5.10.1
activemq-5.10.2
activemq-5.11.0
activemq-5.11.1
activemq-5.11.2
activemq-5.11.3
activemq-5.11.4
activemq-5.12.0
activemq-5.12.1
activemq-5.12.2
activemq-5.12.3
activemq-5.13.0
activemq-5.13.1
activemq-5.13.2
activemq-5.13.3
activemq-5.13.4
activemq-5.13.5
activemq-5.14.0
activemq-5.14.1
activemq-5.14.2
activemq-5.14.3
activemq-5.14.4
activemq-5.14.5
activemq-5.15.0
activemq-5.15.1
activemq-5.15.10
activemq-5.15.11
activemq-5.15.12
activemq-5.15.13
activemq-5.15.2
activemq-5.15.3
activemq-5.15.4
activemq-5.15.5
activemq-5.15.6
activemq-5.15.7
activemq-5.15.8
activemq-5.15.9
activemq-5.16.0
activemq-5.2.0
activemq-5.3.0
activemq-5.3.1
activemq-5.4.0
activemq-5.4.1
activemq-5.4.2
activemq-5.4.3
activemq-5.5.0
activemq-5.5.1
activemq-5.6.0
activemq-5.7.0
activemq-5.8.0
activemq-5.9.0
activemq-5.9.1
activemq-parent-5.*
activemq-parent-5.2
activemq-parent-5.3.2
activemq-parent-5.5.1
rel/v5.*
rel/v5.2
rel/v5.2.1
rel/v5.3
rel/v5.4
rel/v5.4.1
rel/v5.4.2
rel/v5.4.3
v5.*
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2.1-rc1
v5.2.1-rc4
v5.2.1-rc5
v5.3-rc1
v5.4-rc1
v5.4-rc2
v5.4.1-rc1
v5.4.1-rc2
v5.4.2-rc1
v5.4.3-rc1
v5.5-rc1
v5.5-rc2
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21345.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "35"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.12.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.12.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.2.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.1.1.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.58"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.59"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "17.0.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.0.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.1.1.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
}
]