CVE-2021-39150
- Source
- https://cve.org/CVERecord?id=CVE-2021-39150
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39150.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-39150
- Aliases
- Downstream
- Related
- Published
- 2021-08-23T19:15:12.803Z
- Modified
- 2026-04-02T07:33:43.894101Z
- Severity
-
- 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.
- References
-
- https://security.netapp.com/advisory/ntap-20210923-0003/
- https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp
- https://www.debian.org/security/2021/dsa-5004
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- https://x-stream.github.io/CVE-2021-39150.html
Affected packages
Git / github.com/x-stream/xstream
Affected versions
Other
XSTREAM_0_2
XSTREAM_0_3
XSTREAM_0_4
XSTREAM_0_5
XSTREAM_0_6
XSTREAM_0_6_RC1
XSTREAM_1_0_1
XSTREAM_1_0_2
XSTREAM_1_0_RC1
XSTREAM_1_1
XSTREAM_1_1_1
XSTREAM_1_1_2
XSTREAM_1_1_3
XSTREAM_1_2
XSTREAM_1_2_1
XSTREAM_1_2_2
XSTREAM_1_3
XSTREAM_1_3_1
XSTREAM_1_4
XSTREAM_1_4_1
XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_14
XSTREAM_1_4_15
XSTREAM_1_4_16
XSTREAM_1_4_17
XSTREAM_1_4_2
XSTREAM_1_4_3
XSTREAM_1_4_4
XSTREAM_1_4_5
XSTREAM_1_4_6
XSTREAM_1_4_7
XSTREAM_1_4_8
XSTREAM_1_4_9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39150.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "35"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.14.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "17.0.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.0.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "20.0.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.2.0.2.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.2.0.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.3.0.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.3.0.6.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.4.0.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.4.0.2.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.4.0.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.0.0.1.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
}
]