CVE-2021-43859
- Source
- https://cve.org/CVERecord?id=CVE-2021-43859
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43859.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-43859
- Aliases
- Downstream
- Related
- Published
- 2022-02-01T12:15:08.080Z
- Modified
- 2026-04-02T07:36:59.087686Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
- References
-
- https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html
- http://www.openwall.com/lists/oss-security/2022/02/09/1
- https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
- https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/
- https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
- https://x-stream.github.io/CVE-2021-43859.html
Affected packages
Git / github.com/jenkinsci/jenkins
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jenkinsci/jenkins
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "2.319.3" }, { "introduced": "2.321" }, { "fixed": "2.334" }, { "introduced": "0" }, { "last_affected": "34" }, { "introduced": "0" }, { "last_affected": "35" } ] }
Affected versions
1.*
1.312
1.313
1.314
1.315
1.316
1.317
1.318
1.319
1.320
1.321
1.322
1.324-rc
1.325-rc
1.326
1.327-rc
1.328-rc
1.329
1.330
1.331
1.332
1.333
1.334
1.335
1.336
1.337
1.338
1.339
1.340
1.341
1.343
1.344
1.345
1.346
1.347
1.348
1.349
1.350
1.351
1.352
1.353
1.354
1.356
1.357
1.358
1.359
1.360
1.361
1.362
1.363
1.364
1.365
1.366
1.367
1.368
1.370
1.372
1.373
1.374
1.376
1.377
1.378
1.380
1.381
1.382
1.383
1.384
1.385
1.480.3-rc2
1.480.3-rc3
1.480.3-rc4
1.502-rc1
2.*
2.332.1-rc-2
Other
XSTREAM_0_2
XSTREAM_0_3
XSTREAM_0_4
XSTREAM_0_5
XSTREAM_0_6
XSTREAM_0_6_RC1
XSTREAM_1_0_1
XSTREAM_1_0_2
XSTREAM_1_0_RC1
XSTREAM_1_1
XSTREAM_1_1_1
XSTREAM_1_1_2
XSTREAM_1_1_3
XSTREAM_1_2
XSTREAM_1_2_1
XSTREAM_1_2_2
XSTREAM_1_3
XSTREAM_1_3_1
XSTREAM_1_4
XSTREAM_1_4_1
XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_14
XSTREAM_1_4_15
XSTREAM_1_4_16
XSTREAM_1_4_17
XSTREAM_1_4_18
XSTREAM_1_4_2
XSTREAM_1_4_3
XSTREAM_1_4_4
XSTREAM_1_4_5
XSTREAM_1_4_6
XSTREAM_1_4_7
XSTREAM_1_4_8
XSTREAM_1_4_9
builds/10
builds/11
builds/12
builds/13
builds/14
builds/15
builds/16
builds/17
builds/18
builds/19
builds/2
builds/21
builds/22
builds/23
builds/24
builds/26
builds/27
builds/28
builds/29
builds/3
builds/30
builds/31
builds/32
builds/33
builds/34
builds/4
builds/5
builds/6
builds/7
builds/9
changes/10
changes/11
changes/12
changes/13
changes/14
changes/15
changes/16
changes/17
changes/18
changes/19
changes/2
changes/20
changes/21
changes/22
changes/23
changes/24
changes/25
changes/26
changes/27
changes/28
changes/29
changes/3
changes/30
changes/31
changes/32
changes/33
changes/34
changes/4
changes/5
changes/6
changes/7
changes/8
changes/9
hudson-1_387
hudson-1_388
hudson-1_389
hudson-1_390
hudson-1_391
hudson-1_392
hudson-1_393
hudson-1_394
hudson-1_395
jenkins-1_396
jenkins-1_397
jenkins-1_398
jenkins-1_399
jenkins-1_400
jenkins-1_401
jenkins-1_402
jenkins-1_403
jenkins-1_404
jenkins-1_405
jenkins-1_406
jenkins-1_407
jenkins-1_408
jenkins-1_409
jenkins-1_410
jenkins-1_411
jenkins-1_412
jenkins-1_413
jenkins-1_414
jenkins-1_415
unified-annotation-indexer
jenkin-1.*
jenkin-1.532.1-rc1
jenkin-1.532.3-RC1
jenkins-1.*
jenkins-1.409.1
jenkins-1.409.1-rc1
jenkins-1.409.2
jenkins-1.409.2-rc
jenkins-1.409.3
jenkins-1.416
jenkins-1.417
jenkins-1.418
jenkins-1.419
jenkins-1.420
jenkins-1.421
jenkins-1.422
jenkins-1.423
jenkins-1.424
jenkins-1.424-rc2
jenkins-1.424.1
jenkins-1.424.1-rc1
jenkins-1.424.1-rc2
jenkins-1.424.1-rc3
jenkins-1.424.2
jenkins-1.424.2-rc1
jenkins-1.424.2-rc2
jenkins-1.424.2-rc3
jenkins-1.424.3
jenkins-1.424.3-rc2
jenkins-1.424.4
jenkins-1.424.5
jenkins-1.424.6
jenkins-1.425
jenkins-1.426
jenkins-1.427
jenkins-1.428
jenkins-1.429
jenkins-1.430
jenkins-1.431
jenkins-1.432
jenkins-1.433
jenkins-1.434
jenkins-1.435
jenkins-1.436
jenkins-1.437
jenkins-1.438
jenkins-1.439
jenkins-1.440
jenkins-1.441
jenkins-1.442
jenkins-1.443
jenkins-1.444
jenkins-1.445
jenkins-1.446
jenkins-1.447
jenkins-1.447.1
jenkins-1.447.1-rc1
jenkins-1.447.2
jenkins-1.448
jenkins-1.449
jenkins-1.450
jenkins-1.451
jenkins-1.452
jenkins-1.453
jenkins-1.454
jenkins-1.455
jenkins-1.456
jenkins-1.457
jenkins-1.458
jenkins-1.459
jenkins-1.460
jenkins-1.461
jenkins-1.462
jenkins-1.463
jenkins-1.464
jenkins-1.465
jenkins-1.466
jenkins-1.466.1
jenkins-1.466.1-rc1
jenkins-1.466.2
jenkins-1.467
jenkins-1.468
jenkins-1.469
jenkins-1.470
jenkins-1.471
jenkins-1.472
jenkins-1.473
jenkins-1.474
jenkins-1.475
jenkins-1.477
jenkins-1.478
jenkins-1.479
jenkins-1.480
jenkins-1.480.1
jenkins-1.480.1-RC1
jenkins-1.480.2
jenkins-1.480.3
jenkins-1.481
jenkins-1.482
jenkins-1.483
jenkins-1.484
jenkins-1.485
jenkins-1.486
jenkins-1.487
jenkins-1.488
jenkins-1.489
jenkins-1.490
jenkins-1.491
jenkins-1.492
jenkins-1.493
jenkins-1.494
jenkins-1.495
jenkins-1.496
jenkins-1.497
jenkins-1.498
jenkins-1.499
jenkins-1.500
jenkins-1.501
jenkins-1.502
jenkins-1.503
jenkins-1.504
jenkins-1.505
jenkins-1.506
jenkins-1.507
jenkins-1.508
jenkins-1.509
jenkins-1.509.1
jenkins-1.509.1-rc1
jenkins-1.509.1-rc2
jenkins-1.509.2
jenkins-1.509.2-rc1
jenkins-1.509.3
jenkins-1.509.3-rc1
jenkins-1.509.4
jenkins-1.509.4-rc1
jenkins-1.509.4-sp3
jenkins-1.510
jenkins-1.511
jenkins-1.512
jenkins-1.513
jenkins-1.514
jenkins-1.515
jenkins-1.516
jenkins-1.517
jenkins-1.518
jenkins-1.519
jenkins-1.520
jenkins-1.521
jenkins-1.522
jenkins-1.523
jenkins-1.524
jenkins-1.525
jenkins-1.526
jenkins-1.527
jenkins-1.528
jenkins-1.529
jenkins-1.530
jenkins-1.531
jenkins-1.532
jenkins-1.532.1
jenkins-1.532.1-rc1
jenkins-1.532.2
jenkins-1.532.3
jenkins-1.532.3-RC1
jenkins-1.533
jenkins-1.534
jenkins-1.535
jenkins-1.536
jenkins-1.537
jenkins-1.538
jenkins-1.539
jenkins-1.540
jenkins-1.541
jenkins-1.542
jenkins-1.543
jenkins-1.544
jenkins-1.545
jenkins-1.546
jenkins-1.547
jenkins-1.548
jenkins-1.549
jenkins-1.550
jenkins-2.*
jenkins-2.321
jenkins-2.322
jenkins-2.323
jenkins-2.324
jenkins-2.325
jenkins-2.326
jenkins-2.327
jenkins-2.328
jenkins-2.329
jenkins-2.330
jenkins-2.331
jenkins-2.332
jenkins-2.332.1
jenkins-2.332.1-rc
jenkins-2.332.2
jenkins-2.332.2-rc
jenkins-2.332.2-rc-2
jenkins-2.332.3
jenkins-2.332.3-rc
jenkins-2.332.4
jenkins-2.333
prototype-1.*
prototype-1.5.1.1
prototype-1.7
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43859.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.0.0.4.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.9.0"
}
]
},
{
"events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.1.0"
}
]
},
{
"events": [
{
"introduced": "8.2.0"
},
{
"last_affected": "8.2.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.6.0.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "17.0.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.0.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "20.0.1"
}
]
}
]
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "55566688760790417229342517075763677048",
"length": 181.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-29d87ff6",
"target": {
"file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java",
"function": "testInstanceOfVoid"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "261717738691877522929827956336707666449",
"length": 158.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-3b92b93a",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java",
"function": "addCurrentElementToCollection"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "17231138287832600381894592100287068069",
"length": 381.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-42b4ae14",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java",
"function": "convert"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "220166040034801707177840403453687177859",
"length": 650.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-43f10a94",
"target": {
"file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java",
"function": "testCannotInjectEventHandler"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"37669725065981372541361920149060037669",
"1754229239276929498699274070455340911",
"41982352291054190134426946505239413600",
"339132426552016436555085584248404447229",
"281190335896921026067654418042948691705",
"101836451350065470669588115209640466933",
"170069226330896549956587004495602417294",
"175405664480641811482846628989242555461",
"308344043568311556500843217578373648934",
"214661633136529325303486917787961611567",
"57524199966063753519088560374134026781",
"63361542330210864932936498280080202040",
"121377978789604838791055385342124703054",
"120564178264636159261842547107268022221",
"280309282135332622366291820899588071183",
"116140396242623306064878654562145661014",
"228659153108235947882753463685898110017",
"253465008515736530894371217708547114895",
"47604041726619113582236911670478212984",
"157827691179106628380218623395528602742",
"299357159731611816879190520786090623494",
"263325449489108397308033639618897227089",
"195855868307017984720518213082419999218",
"157827691179106628380218623395528602742",
"56570557617033010041633030400660432580",
"266269599569454697175169268514228635384"
],
"threshold": 0.9
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-48fd1814",
"target": {
"file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "158675721028694727290893110113569592667",
"length": 372.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-59287a06",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/XStream.java",
"function": "unmarshal"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "86104287393050438777889317149321611565",
"length": 219.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-827b0ed4",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java",
"function": "putCurrentEntryIntoMap"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"47133092775335648767215388072869838081",
"72897891070941714057763968897150290546",
"204876188397446628625129180757218716667",
"183977537466193036774603040383124982900",
"108738211081595398246856293798472960621",
"17550906770456504535387592149065180578",
"160816637933070719777862874531377453485",
"131320530687662887544912643709547885866",
"79469178477997099640743731152801113345"
],
"threshold": 0.9
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-840ebf27",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"7616263090923437985525346265549616761",
"211219839203299185987365307554810409985",
"73721228261296255058296875540290052237",
"239913871774152437040395752063489313149",
"117725265296903224689269951407431455617",
"126617756455122379474158532832345634375",
"158235987049869476657084451570586380240",
"314118849962306354916524331560040293068",
"96433297052028480260787407611872064849",
"325820611125133184921877174183212096326",
"275047211673991781190008335997426805456",
"251899931567808305004438430281872370011",
"177754559542579598598790658770667215612",
"118738670761640002657491233549629791713",
"71362147945938633015783245649742152827",
"239637841955745921799253626664476578801",
"136908090792826903881571180858786345652",
"226208401357142230571642567540990195204",
"5923312382624037816122342231039016977",
"256450194889914305419909032943252724007",
"209578339882724276781126381994571211439",
"207821519896740168085970131722419024131",
"89998112668629298309028616244523277223",
"257848222184230265269703082711942417201",
"231035764628361720499571828605484840546",
"48705185870131617258729178622391399075",
"334353687146338771572110171878246600462",
"164655022164759611606439376066928116229",
"38013853609415735731977596616628687320"
],
"threshold": 0.9
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-9f4d057d",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/XStream.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "228474360994162782889542199712320720945",
"length": 1357.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-ad6928e4",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java",
"function": "populateMap"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"67983786004786075010774811532640513342",
"155251688185425872193164153142665759940",
"180982352636348001737525535511897856621",
"291635795756997543440780842469637458131",
"100411840036841395080916223528854409368",
"45659907922294160967612934064248224018",
"31472221394269137905746344083408247215",
"88563598898606841684968123180300453216"
],
"threshold": 0.9
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-ad72fdf2",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"185869447222012862197413743734267332963",
"274937438635320053675547534042926965660",
"212113714018905300703044115447665097447",
"315082099377130877878551267537102060517",
"322595832639141750214961352993266288428",
"288516566081390833032506510066468270740",
"6674929763605018183272915908570643204",
"256753108423566523410138376942892651005"
],
"threshold": 0.9
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-b91b8836",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"136451740817690776813850310762997082518",
"105753953192027108849418635246114421000",
"118882738501084926826075990972404281301",
"212020063483191151362987575288808695462",
"287333414921625036090543832290154043373",
"9891789946521726045761755493407333519",
"5559154755073053156556721280319387054",
"238112864466872781268528486106920449733"
],
"threshold": 0.9
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-ccb9a04c",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "11964886622017048364241710368819996484",
"length": 219.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-cf16e600",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/XStream.java",
"function": "readFromStream"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "12709619694192487888878944821281014679",
"length": 873.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-df4b16d4",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/XStream.java",
"function": "createObjectInputStream"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "253499341416318301251134402216259344937",
"length": 401.0
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-e2dd41b1",
"target": {
"file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java",
"function": "testCannotUseJaxwsInputStreamToDeleteFile"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"302436115647464791492807424592955265526",
"20337160572719266553945974133231939115",
"100606639916437884206076948162615070323"
],
"threshold": 0.9
},
"source": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846",
"id": "CVE-2021-43859-f898dd1d",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java"
}
}
]