Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.thoughtworks.xstream/xstream@1.4.3
Typemaven
Namespacecom.thoughtworks.xstream
Namexstream
Version1.4.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.4.21
Latest_non_vulnerable_version1.4.21
Affected_by_vulnerabilities
0
url VCID-12bx-r37t-3ygm
vulnerability_id VCID-12bx-r37t-3ygm
summary 
Server-Side Request Forgery (SSRF)
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime to Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39150.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39150.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39150
reference_id
reference_type
scores
0
value 0.02418
scoring_system epss
scoring_elements 0.85143
published_at 2026-04-18T12:55:00Z
1
value 0.02418
scoring_system epss
scoring_elements 0.8514
published_at 2026-04-21T12:55:00Z
2
value 0.02418
scoring_system epss
scoring_elements 0.85119
published_at 2026-04-13T12:55:00Z
3
value 0.02418
scoring_system epss
scoring_elements 0.85046
published_at 2026-04-01T12:55:00Z
4
value 0.02418
scoring_system epss
scoring_elements 0.85102
published_at 2026-04-08T12:55:00Z
5
value 0.02418
scoring_system epss
scoring_elements 0.8508
published_at 2026-04-07T12:55:00Z
6
value 0.02418
scoring_system epss
scoring_elements 0.85076
published_at 2026-04-04T12:55:00Z
7
value 0.02418
scoring_system epss
scoring_elements 0.85059
published_at 2026-04-02T12:55:00Z
8
value 0.02418
scoring_system epss
scoring_elements 0.85122
published_at 2026-04-12T12:55:00Z
9
value 0.02418
scoring_system epss
scoring_elements 0.85125
published_at 2026-04-11T12:55:00Z
10
value 0.02418
scoring_system epss
scoring_elements 0.85109
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39150
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39150.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39150.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997786
reference_id 1997786
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997786
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39150
reference_id CVE-2021-39150
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39150
36
reference_url https://github.com/advisories/GHSA-cxfm-5m4g-x7xp
reference_id GHSA-cxfm-5m4g-x7xp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cxfm-5m4g-x7xp
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39150, GHSA-cxfm-5m4g-x7xp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-12bx-r37t-3ygm
1
url VCID-2t1b-135u-euem
vulnerability_id VCID-2t1b-135u-euem
summary 
XStream can be used for Remote Code Execution
### Impact
The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.14.

### Workarounds
No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.

Users of XStream 1.4.13 or below who still want to use XStream default blacklist can use a workaround depending on their version in use.

Users of XStream 1.4.13 can simply add two lines to XStream's setup code:
```Java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
```
Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _java.lang.Void_ and _void_.
```Java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
```
Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:
```Java
xstream.registerConverter(new Converter() {
  public boolean canConvert(Class type) {
    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type));
  }

  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }

  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }
}, XStream.PRIORITY_LOW);
```

### Credits
Chen L found and reported the issue to XStream and provided the required information to reproduce it.  He was supported by Zhihong Tian and Hui Lu, both from Guangzhou University.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2020-26217](https://x-stream.github.io/CVE-2020-26217.html).

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26217.json
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26217.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-26217
reference_id
reference_type
scores
0
value 0.93008
scoring_system epss
scoring_elements 0.99785
published_at 2026-04-18T12:55:00Z
1
value 0.93008
scoring_system epss
scoring_elements 0.99784
published_at 2026-04-21T12:55:00Z
2
value 0.93008
scoring_system epss
scoring_elements 0.99783
published_at 2026-04-13T12:55:00Z
3
value 0.93008
scoring_system epss
scoring_elements 0.99782
published_at 2026-04-04T12:55:00Z
4
value 0.93008
scoring_system epss
scoring_elements 0.99781
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-26217
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26217
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26217
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
6
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
7
reference_url https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E
9
reference_url https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E
10
reference_url https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
11
reference_url https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-26217
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-26217
13
reference_url https://security.netapp.com/advisory/ntap-20210409-0004
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210409-0004
14
reference_url https://www.debian.org/security/2020/dsa-4811
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4811
15
reference_url https://www.oracle.com/security-alerts/cpuApr2021.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuApr2021.html
16
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
17
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
18
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
19
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
20
reference_url https://x-stream.github.io/CVE-2020-26217.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2020-26217.html
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1898907
reference_id 1898907
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1898907
22
reference_url https://github.com/advisories/GHSA-mw36-7c6c-q4q2
reference_id GHSA-mw36-7c6c-q4q2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mw36-7c6c-q4q2
23
reference_url https://access.redhat.com/errata/RHSA-2021:0105
reference_id RHSA-2021:0105
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0105
24
reference_url https://access.redhat.com/errata/RHSA-2021:0106
reference_id RHSA-2021:0106
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0106
25
reference_url https://access.redhat.com/errata/RHSA-2021:0162
reference_id RHSA-2021:0162
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0162
26
reference_url https://access.redhat.com/errata/RHSA-2021:0384
reference_id RHSA-2021:0384
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0384
27
reference_url https://access.redhat.com/errata/RHSA-2021:0433
reference_id RHSA-2021:0433
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0433
28
reference_url https://access.redhat.com/errata/RHSA-2021:3205
reference_id RHSA-2021:3205
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3205
29
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
30
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
31
reference_url https://usn.ubuntu.com/4714-1/
reference_id USN-4714-1
reference_type
scores
url https://usn.ubuntu.com/4714-1/
32
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
33
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.14-java7
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.14-java7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-6mz4-fu3s-vycx
2
vulnerability VCID-7ma6-2uv1-sbef
3
vulnerability VCID-8gha-n6ke-nucu
4
vulnerability VCID-9442-1vwr-5fbt
5
vulnerability VCID-c5tu-31kw-mfcf
6
vulnerability VCID-dxpe-qmxq-ykax
7
vulnerability VCID-eeye-wfxf-x7cc
8
vulnerability VCID-exrn-u19r-wfd8
9
vulnerability VCID-f779-wcjk-kfc1
10
vulnerability VCID-fcg2-x3s5-wudk
11
vulnerability VCID-hqzr-vc5w-9ff5
12
vulnerability VCID-hsja-ryzy-7bbx
13
vulnerability VCID-mfub-hwcq-pqbt
14
vulnerability VCID-na6t-mkxt-3qbw
15
vulnerability VCID-npjx-vkrd-9bae
16
vulnerability VCID-nrf7-heu6-vfdc
17
vulnerability VCID-qh44-75jb-wbhf
18
vulnerability VCID-qvbb-jhkk-2udw
19
vulnerability VCID-qwp5-wae9-cffb
20
vulnerability VCID-re5g-6kjz-q7e8
21
vulnerability VCID-rfc1-r1gr-wffp
22
vulnerability VCID-sqb5-brnu-vfbk
23
vulnerability VCID-u5yy-xx6z-dfh6
24
vulnerability VCID-v7za-zjfx-mqek
25
vulnerability VCID-vn1d-9uf5-gbce
26
vulnerability VCID-vpxs-6wcf-ckh9
27
vulnerability VCID-wehr-d623-akaj
28
vulnerability VCID-xdpy-sx55-b3ac
29
vulnerability VCID-xsr8-3cke-33ck
30
vulnerability VCID-yb4j-92y9-nfb5
31
vulnerability VCID-yuwe-6pp1-bke2
32
vulnerability VCID-zm9c-xw64-5qcc
33
vulnerability VCID-zmh2-t17w-wue1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.14-java7
aliases CVE-2020-26217, GHSA-mw36-7c6c-q4q2
risk_score 10.0
exploitability 2.0
weighted_severity 8.1
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2t1b-135u-euem
2
url VCID-6mz4-fu3s-vycx
vulnerability_id VCID-6mz4-fu3s-vycx
summary 
XStream is vulnerable to an Arbitrary Code Execution attack
### Impact
The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21350](https://x-stream.github.io/CVE-2021-21350.html).

### Credits
The vulnerability was discovered and reported by threedr3am.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21350.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21350.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21350
reference_id
reference_type
scores
0
value 0.08761
scoring_system epss
scoring_elements 0.92525
published_at 2026-04-21T12:55:00Z
1
value 0.08761
scoring_system epss
scoring_elements 0.92521
published_at 2026-04-18T12:55:00Z
2
value 0.08761
scoring_system epss
scoring_elements 0.92471
published_at 2026-04-01T12:55:00Z
3
value 0.08761
scoring_system epss
scoring_elements 0.92522
published_at 2026-04-16T12:55:00Z
4
value 0.08761
scoring_system epss
scoring_elements 0.92513
published_at 2026-04-12T12:55:00Z
5
value 0.08761
scoring_system epss
scoring_elements 0.92511
published_at 2026-04-13T12:55:00Z
6
value 0.08761
scoring_system epss
scoring_elements 0.92505
published_at 2026-04-09T12:55:00Z
7
value 0.08761
scoring_system epss
scoring_elements 0.925
published_at 2026-04-08T12:55:00Z
8
value 0.08761
scoring_system epss
scoring_elements 0.92489
published_at 2026-04-07T12:55:00Z
9
value 0.08761
scoring_system epss
scoring_elements 0.92485
published_at 2026-04-04T12:55:00Z
10
value 0.08761
scoring_system epss
scoring_elements 0.92477
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21350
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21350
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21350
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21350.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21350.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942637
reference_id 1942637
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942637
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-43gc-mjxg-gvrq
reference_id GHSA-43gc-mjxg-gvrq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-43gc-mjxg-gvrq
28
reference_url https://access.redhat.com/errata/RHSA-2021:1354
reference_id RHSA-2021:1354
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1354
29
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
30
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
31
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
32
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
33
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
34
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
35
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
36
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21350, GHSA-43gc-mjxg-gvrq
risk_score 3.6
exploitability 0.5
weighted_severity 7.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6mz4-fu3s-vycx
3
url VCID-7ma6-2uv1-sbef
vulnerability_id VCID-7ma6-2uv1-sbef
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39147.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39147.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39147
reference_id
reference_type
scores
0
value 0.00674
scoring_system epss
scoring_elements 0.71438
published_at 2026-04-21T12:55:00Z
1
value 0.00674
scoring_system epss
scoring_elements 0.71459
published_at 2026-04-18T12:55:00Z
2
value 0.00674
scoring_system epss
scoring_elements 0.71453
published_at 2026-04-16T12:55:00Z
3
value 0.00674
scoring_system epss
scoring_elements 0.71365
published_at 2026-04-07T12:55:00Z
4
value 0.00674
scoring_system epss
scoring_elements 0.71418
published_at 2026-04-09T12:55:00Z
5
value 0.00674
scoring_system epss
scoring_elements 0.71406
published_at 2026-04-08T12:55:00Z
6
value 0.00674
scoring_system epss
scoring_elements 0.7139
published_at 2026-04-04T12:55:00Z
7
value 0.00674
scoring_system epss
scoring_elements 0.71373
published_at 2026-04-02T12:55:00Z
8
value 0.00674
scoring_system epss
scoring_elements 0.71407
published_at 2026-04-13T12:55:00Z
9
value 0.00674
scoring_system epss
scoring_elements 0.71425
published_at 2026-04-12T12:55:00Z
10
value 0.00674
scoring_system epss
scoring_elements 0.7144
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39147
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39147.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39147.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997779
reference_id 1997779
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997779
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39147
reference_id CVE-2021-39147
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39147
36
reference_url https://github.com/advisories/GHSA-h7v4-7xg3-hxcc
reference_id GHSA-h7v4-7xg3-hxcc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h7v4-7xg3-hxcc
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39147, GHSA-h7v4-7xg3-hxcc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7ma6-2uv1-sbef
4
url VCID-8gha-n6ke-nucu
vulnerability_id VCID-8gha-n6ke-nucu
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39148.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39148.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39148
reference_id
reference_type
scores
0
value 0.00674
scoring_system epss
scoring_elements 0.71438
published_at 2026-04-21T12:55:00Z
1
value 0.00674
scoring_system epss
scoring_elements 0.71459
published_at 2026-04-18T12:55:00Z
2
value 0.00674
scoring_system epss
scoring_elements 0.71453
published_at 2026-04-16T12:55:00Z
3
value 0.00674
scoring_system epss
scoring_elements 0.71365
published_at 2026-04-07T12:55:00Z
4
value 0.00674
scoring_system epss
scoring_elements 0.71418
published_at 2026-04-09T12:55:00Z
5
value 0.00674
scoring_system epss
scoring_elements 0.71406
published_at 2026-04-08T12:55:00Z
6
value 0.00674
scoring_system epss
scoring_elements 0.7139
published_at 2026-04-04T12:55:00Z
7
value 0.00674
scoring_system epss
scoring_elements 0.71373
published_at 2026-04-02T12:55:00Z
8
value 0.00674
scoring_system epss
scoring_elements 0.71407
published_at 2026-04-13T12:55:00Z
9
value 0.00674
scoring_system epss
scoring_elements 0.71425
published_at 2026-04-12T12:55:00Z
10
value 0.00674
scoring_system epss
scoring_elements 0.7144
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39148
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39148.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39148.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997781
reference_id 1997781
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997781
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39148
reference_id CVE-2021-39148
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39148
36
reference_url https://github.com/advisories/GHSA-qrx8-8545-4wg2
reference_id GHSA-qrx8-8545-4wg2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qrx8-8545-4wg2
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39148, GHSA-qrx8-8545-4wg2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8gha-n6ke-nucu
5
url VCID-9442-1vwr-5fbt
vulnerability_id VCID-9442-1vwr-5fbt
summary 
XStream can cause Denial of Service via stack overflow
### Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

### Patches
XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

### Workarounds
The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:

- java.util.HashMap
- java.util.HashSet
- java.util.Hashtable
- java.util.LinkedHashMap
- java.util.LinkedHashSet
- Other third party collection implementations that use their element's hash code may also be affected

A simple solution is to catch the StackOverflowError in the client code calling XStream.

If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:
```Java
XStream xstream = new XStream();
xstream.setMode(XStream.NO_REFERENCES);
```

If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:
```Java
XStream xstream = new XStream();
xstream.denyTypes(new Class[]{
 java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
});
```

Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::
```Java
xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);
```
However, this implies that your application does not care about the implementation of the map and all elements are comparable.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html).

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-41966
reference_id
reference_type
scores
0
value 0.02376
scoring_system epss
scoring_elements 0.84993
published_at 2026-04-21T12:55:00Z
1
value 0.02376
scoring_system epss
scoring_elements 0.84911
published_at 2026-04-02T12:55:00Z
2
value 0.02376
scoring_system epss
scoring_elements 0.84929
published_at 2026-04-04T12:55:00Z
3
value 0.02376
scoring_system epss
scoring_elements 0.84934
published_at 2026-04-07T12:55:00Z
4
value 0.02376
scoring_system epss
scoring_elements 0.84957
published_at 2026-04-08T12:55:00Z
5
value 0.02376
scoring_system epss
scoring_elements 0.84963
published_at 2026-04-09T12:55:00Z
6
value 0.02376
scoring_system epss
scoring_elements 0.84979
published_at 2026-04-11T12:55:00Z
7
value 0.02376
scoring_system epss
scoring_elements 0.84978
published_at 2026-04-12T12:55:00Z
8
value 0.02376
scoring_system epss
scoring_elements 0.84973
published_at 2026-04-13T12:55:00Z
9
value 0.02376
scoring_system epss
scoring_elements 0.84994
published_at 2026-04-16T12:55:00Z
10
value 0.02376
scoring_system epss
scoring_elements 0.84996
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-41966
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/
url https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-41966
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-41966
7
reference_url https://x-stream.github.io/CVE-2022-41966.html
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/
url https://x-stream.github.io/CVE-2022-41966.html
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754
reference_id 1027754
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2170431
reference_id 2170431
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2170431
10
reference_url https://github.com/advisories/GHSA-j563-grx4-pjpv
reference_id GHSA-j563-grx4-pjpv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j563-grx4-pjpv
11
reference_url https://access.redhat.com/errata/RHSA-2023:1006
reference_id RHSA-2023:1006
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1006
12
reference_url https://access.redhat.com/errata/RHSA-2023:1177
reference_id RHSA-2023:1177
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1177
13
reference_url https://access.redhat.com/errata/RHSA-2023:1286
reference_id RHSA-2023:1286
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1286
14
reference_url https://access.redhat.com/errata/RHSA-2023:2041
reference_id RHSA-2023:2041
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2041
15
reference_url https://access.redhat.com/errata/RHSA-2023:2100
reference_id RHSA-2023:2100
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2100
16
reference_url https://access.redhat.com/errata/RHSA-2023:3625
reference_id RHSA-2023:3625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3625
17
reference_url https://access.redhat.com/errata/RHSA-2023:3663
reference_id RHSA-2023:3663
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3663
18
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fcg2-x3s5-wudk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
aliases CVE-2022-41966, GHSA-j563-grx4-pjpv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9442-1vwr-5fbt
6
url VCID-c5tu-31kw-mfcf
vulnerability_id VCID-c5tu-31kw-mfcf
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. if using the version out of the box with Java runtime to 8 or with JavaFX installed. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39153.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39153.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39153
reference_id
reference_type
scores
0
value 0.00674
scoring_system epss
scoring_elements 0.71438
published_at 2026-04-21T12:55:00Z
1
value 0.00674
scoring_system epss
scoring_elements 0.71459
published_at 2026-04-18T12:55:00Z
2
value 0.00674
scoring_system epss
scoring_elements 0.71453
published_at 2026-04-16T12:55:00Z
3
value 0.00674
scoring_system epss
scoring_elements 0.71365
published_at 2026-04-07T12:55:00Z
4
value 0.00674
scoring_system epss
scoring_elements 0.71418
published_at 2026-04-09T12:55:00Z
5
value 0.00674
scoring_system epss
scoring_elements 0.71406
published_at 2026-04-08T12:55:00Z
6
value 0.00674
scoring_system epss
scoring_elements 0.7139
published_at 2026-04-04T12:55:00Z
7
value 0.00674
scoring_system epss
scoring_elements 0.71373
published_at 2026-04-02T12:55:00Z
8
value 0.00674
scoring_system epss
scoring_elements 0.71407
published_at 2026-04-13T12:55:00Z
9
value 0.00674
scoring_system epss
scoring_elements 0.71425
published_at 2026-04-12T12:55:00Z
10
value 0.00674
scoring_system epss
scoring_elements 0.7144
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39153
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39153.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39153.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997795
reference_id 1997795
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997795
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39153
reference_id CVE-2021-39153
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39153
36
reference_url https://github.com/advisories/GHSA-2q8x-2p7f-574v
reference_id GHSA-2q8x-2p7f-574v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2q8x-2p7f-574v
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39153, GHSA-2q8x-2p7f-574v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c5tu-31kw-mfcf
7
url VCID-dxpe-qmxq-ykax
vulnerability_id VCID-dxpe-qmxq-ykax
summary 
Unrestricted Upload of File with Dangerous Type
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39145.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39145.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39145
reference_id
reference_type
scores
0
value 0.00618
scoring_system epss
scoring_elements 0.69988
published_at 2026-04-21T12:55:00Z
1
value 0.00618
scoring_system epss
scoring_elements 0.70006
published_at 2026-04-18T12:55:00Z
2
value 0.00618
scoring_system epss
scoring_elements 0.69996
published_at 2026-04-16T12:55:00Z
3
value 0.00618
scoring_system epss
scoring_elements 0.69953
published_at 2026-04-13T12:55:00Z
4
value 0.00618
scoring_system epss
scoring_elements 0.69966
published_at 2026-04-12T12:55:00Z
5
value 0.00618
scoring_system epss
scoring_elements 0.69982
published_at 2026-04-11T12:55:00Z
6
value 0.00618
scoring_system epss
scoring_elements 0.69958
published_at 2026-04-09T12:55:00Z
7
value 0.00618
scoring_system epss
scoring_elements 0.69942
published_at 2026-04-08T12:55:00Z
8
value 0.00618
scoring_system epss
scoring_elements 0.69894
published_at 2026-04-07T12:55:00Z
9
value 0.00618
scoring_system epss
scoring_elements 0.69917
published_at 2026-04-04T12:55:00Z
10
value 0.00618
scoring_system epss
scoring_elements 0.69902
published_at 2026-04-02T12:55:00Z
11
value 0.00618
scoring_system epss
scoring_elements 0.69889
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39145
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997775
reference_id 1997775
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997775
33
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
34
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39145
reference_id CVE-2021-39145
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39145
35
reference_url https://x-stream.github.io/CVE-2021-39145.html
reference_id CVE-2021-39145.HTML
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39145.html
36
reference_url https://github.com/advisories/GHSA-8jrj-525p-826v
reference_id GHSA-8jrj-525p-826v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8jrj-525p-826v
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39145, GHSA-8jrj-525p-826v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dxpe-qmxq-ykax
8
url VCID-eeye-wfxf-x7cc
vulnerability_id VCID-eeye-wfxf-x7cc
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39146.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39146.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39146
reference_id
reference_type
scores
0
value 0.47156
scoring_system epss
scoring_elements 0.97692
published_at 2026-04-21T12:55:00Z
1
value 0.47156
scoring_system epss
scoring_elements 0.9769
published_at 2026-04-16T12:55:00Z
2
value 0.47156
scoring_system epss
scoring_elements 0.97683
published_at 2026-04-13T12:55:00Z
3
value 0.47156
scoring_system epss
scoring_elements 0.97662
published_at 2026-04-01T12:55:00Z
4
value 0.47156
scoring_system epss
scoring_elements 0.97674
published_at 2026-04-08T12:55:00Z
5
value 0.47156
scoring_system epss
scoring_elements 0.9767
published_at 2026-04-07T12:55:00Z
6
value 0.47156
scoring_system epss
scoring_elements 0.97669
published_at 2026-04-04T12:55:00Z
7
value 0.47156
scoring_system epss
scoring_elements 0.97668
published_at 2026-04-02T12:55:00Z
8
value 0.47156
scoring_system epss
scoring_elements 0.97682
published_at 2026-04-12T12:55:00Z
9
value 0.47156
scoring_system epss
scoring_elements 0.9768
published_at 2026-04-11T12:55:00Z
10
value 0.47156
scoring_system epss
scoring_elements 0.97677
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39146
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997777
reference_id 1997777
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997777
33
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
34
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39146
reference_id CVE-2021-39146
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39146
35
reference_url https://x-stream.github.io/CVE-2021-39146.html
reference_id CVE-2021-39146.HTML
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39146.html
36
reference_url https://github.com/advisories/GHSA-p8pq-r894-fm8f
reference_id GHSA-p8pq-r894-fm8f
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p8pq-r894-fm8f
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39146, GHSA-p8pq-r894-fm8f
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eeye-wfxf-x7cc
9
url VCID-exrn-u19r-wfd8
vulnerability_id VCID-exrn-u19r-wfd8
summary 
Duplicate Advisory: Denial of Service due to parser crash
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references.

## Original Description
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
references
0
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
1
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
2
reference_url https://github.com/x-stream/xstream/issues/304
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/issues/304
3
reference_url https://github.com/x-stream/xstream/issues/314
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/issues/314
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-40151
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-40151
5
reference_url https://github.com/advisories/GHSA-3mq5-fq9h-gj7j
reference_id GHSA-3mq5-fq9h-gj7j
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3mq5-fq9h-gj7j
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fcg2-x3s5-wudk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
aliases GHSA-3mq5-fq9h-gj7j, GMS-2022-9109
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-exrn-u19r-wfd8
10
url VCID-f779-wcjk-kfc1
vulnerability_id VCID-f779-wcjk-kfc1
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39154.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39154.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39154
reference_id
reference_type
scores
0
value 0.00674
scoring_system epss
scoring_elements 0.71438
published_at 2026-04-21T12:55:00Z
1
value 0.00674
scoring_system epss
scoring_elements 0.71459
published_at 2026-04-18T12:55:00Z
2
value 0.00674
scoring_system epss
scoring_elements 0.71453
published_at 2026-04-16T12:55:00Z
3
value 0.00674
scoring_system epss
scoring_elements 0.71365
published_at 2026-04-07T12:55:00Z
4
value 0.00674
scoring_system epss
scoring_elements 0.71418
published_at 2026-04-09T12:55:00Z
5
value 0.00674
scoring_system epss
scoring_elements 0.71406
published_at 2026-04-08T12:55:00Z
6
value 0.00674
scoring_system epss
scoring_elements 0.7139
published_at 2026-04-04T12:55:00Z
7
value 0.00674
scoring_system epss
scoring_elements 0.71373
published_at 2026-04-02T12:55:00Z
8
value 0.00674
scoring_system epss
scoring_elements 0.71407
published_at 2026-04-13T12:55:00Z
9
value 0.00674
scoring_system epss
scoring_elements 0.71425
published_at 2026-04-12T12:55:00Z
10
value 0.00674
scoring_system epss
scoring_elements 0.7144
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39154
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39154.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39154.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997801
reference_id 1997801
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997801
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39154
reference_id CVE-2021-39154
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39154
36
reference_url https://github.com/advisories/GHSA-6w62-hx7r-mw68
reference_id GHSA-6w62-hx7r-mw68
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6w62-hx7r-mw68
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39154, GHSA-6w62-hx7r-mw68
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f779-wcjk-kfc1
11
url VCID-fcg2-x3s5-wudk
vulnerability_id VCID-fcg2-x3s5-wudk
summary 
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
### Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.

### Patches
XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.

### Workarounds
The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html).

### Credits
Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47072.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47072.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47072
reference_id
reference_type
scores
0
value 0.00261
scoring_system epss
scoring_elements 0.49494
published_at 2026-04-18T12:55:00Z
1
value 0.00261
scoring_system epss
scoring_elements 0.49496
published_at 2026-04-16T12:55:00Z
2
value 0.00261
scoring_system epss
scoring_elements 0.4945
published_at 2026-04-13T12:55:00Z
3
value 0.00261
scoring_system epss
scoring_elements 0.49448
published_at 2026-04-12T12:55:00Z
4
value 0.00261
scoring_system epss
scoring_elements 0.49429
published_at 2026-04-02T12:55:00Z
5
value 0.00261
scoring_system epss
scoring_elements 0.49409
published_at 2026-04-07T12:55:00Z
6
value 0.00261
scoring_system epss
scoring_elements 0.49464
published_at 2026-04-21T12:55:00Z
7
value 0.00261
scoring_system epss
scoring_elements 0.49459
published_at 2026-04-09T12:55:00Z
8
value 0.00261
scoring_system epss
scoring_elements 0.49455
published_at 2026-04-04T12:55:00Z
9
value 0.00261
scoring_system epss
scoring_elements 0.49476
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47072
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47072
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47072
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/
url https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
6
reference_url https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
7
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/
url https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
8
reference_url https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47072
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47072
10
reference_url https://x-stream.github.io/CVE-2024-47072.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/
url https://x-stream.github.io/CVE-2024-47072.html
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274
reference_id 1087274
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2324606
reference_id 2324606
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2324606
13
reference_url https://github.com/advisories/GHSA-hfq9-hggm-c56q
reference_id GHSA-hfq9-hggm-c56q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hfq9-hggm-c56q
14
reference_url https://access.redhat.com/errata/RHSA-2024:10214
reference_id RHSA-2024:10214
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10214
15
reference_url https://access.redhat.com/errata/RHSA-2025:2218
reference_id RHSA-2025:2218
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2218
16
reference_url https://access.redhat.com/errata/RHSA-2025:2219
reference_id RHSA-2025:2219
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2219
17
reference_url https://access.redhat.com/errata/RHSA-2025:2220
reference_id RHSA-2025:2220
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2220
18
reference_url https://access.redhat.com/errata/RHSA-2025:2221
reference_id RHSA-2025:2221
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2221
19
reference_url https://access.redhat.com/errata/RHSA-2025:2222
reference_id RHSA-2025:2222
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2222
20
reference_url https://access.redhat.com/errata/RHSA-2025:2223
reference_id RHSA-2025:2223
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2223
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.21
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.21
aliases CVE-2024-47072, GHSA-hfq9-hggm-c56q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fcg2-x3s5-wudk
12
url VCID-hqzr-vc5w-9ff5
vulnerability_id VCID-hqzr-vc5w-9ff5
summary 
Denial of Service due to parser crash
Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

This vulnerability is only relevant for users making use of the DTD parsing functionality.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40152.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40152.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-40152
reference_id
reference_type
scores
0
value 0.00803
scoring_system epss
scoring_elements 0.7414
published_at 2026-04-21T12:55:00Z
1
value 0.00803
scoring_system epss
scoring_elements 0.7415
published_at 2026-04-18T12:55:00Z
2
value 0.00803
scoring_system epss
scoring_elements 0.74141
published_at 2026-04-16T12:55:00Z
3
value 0.00803
scoring_system epss
scoring_elements 0.74102
published_at 2026-04-13T12:55:00Z
4
value 0.00803
scoring_system epss
scoring_elements 0.74109
published_at 2026-04-12T12:55:00Z
5
value 0.00803
scoring_system epss
scoring_elements 0.74126
published_at 2026-04-11T12:55:00Z
6
value 0.00803
scoring_system epss
scoring_elements 0.74105
published_at 2026-04-09T12:55:00Z
7
value 0.00803
scoring_system epss
scoring_elements 0.7409
published_at 2026-04-08T12:55:00Z
8
value 0.00803
scoring_system epss
scoring_elements 0.74057
published_at 2026-04-07T12:55:00Z
9
value 0.00803
scoring_system epss
scoring_elements 0.7406
published_at 2026-04-02T12:55:00Z
10
value 0.00803
scoring_system epss
scoring_elements 0.74086
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-40152
2
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:21Z/
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/FasterXML/woodstox
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FasterXML/woodstox
6
reference_url https://github.com/FasterXML/woodstox/issues/157
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FasterXML/woodstox/issues/157
7
reference_url https://github.com/FasterXML/woodstox/issues/160
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FasterXML/woodstox/issues/160
8
reference_url https://github.com/FasterXML/woodstox/pull/159
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FasterXML/woodstox/pull/159
9
reference_url https://github.com/x-stream/xstream/issues/304
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:21Z/
url https://github.com/x-stream/xstream/issues/304
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-40152
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-40152
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032089
reference_id 1032089
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032089
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2134291
reference_id 2134291
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2134291
13
reference_url https://github.com/advisories/GHSA-3f7h-mf4q-vrm4
reference_id GHSA-3f7h-mf4q-vrm4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3f7h-mf4q-vrm4
14
reference_url https://access.redhat.com/errata/RHSA-2023:0469
reference_id RHSA-2023:0469
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0469
15
reference_url https://access.redhat.com/errata/RHSA-2023:0552
reference_id RHSA-2023:0552
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0552
16
reference_url https://access.redhat.com/errata/RHSA-2023:0553
reference_id RHSA-2023:0553
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0553
17
reference_url https://access.redhat.com/errata/RHSA-2023:0554
reference_id RHSA-2023:0554
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0554
18
reference_url https://access.redhat.com/errata/RHSA-2023:0556
reference_id RHSA-2023:0556
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0556
19
reference_url https://access.redhat.com/errata/RHSA-2023:2100
reference_id RHSA-2023:2100
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2100
20
reference_url https://access.redhat.com/errata/RHSA-2023:3299
reference_id RHSA-2023:3299
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3299
21
reference_url https://access.redhat.com/errata/RHSA-2023:3641
reference_id RHSA-2023:3641
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3641
22
reference_url https://access.redhat.com/errata/RHSA-2023:3815
reference_id RHSA-2023:3815
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3815
23
reference_url https://access.redhat.com/errata/RHSA-2023:4983
reference_id RHSA-2023:4983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:4983
24
reference_url https://access.redhat.com/errata/RHSA-2025:4437
reference_id RHSA-2025:4437
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4437
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fcg2-x3s5-wudk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
aliases CVE-2022-40152, GHSA-3f7h-mf4q-vrm4
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hqzr-vc5w-9ff5
13
url VCID-hsja-ryzy-7bbx
vulnerability_id VCID-hsja-ryzy-7bbx
summary 
Server-Side Forgery Request can be activated unmarshalling with XStream
### Impact
The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.15.

### Workarounds
The reported vulnerability does not exist running Java 15 or higher.

No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.

Users of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.

Users of XStream 1.4.14 can simply add two lines to XStream's setup code:
```Java
xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
```

Users of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:
```Java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
```
Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _jdk.nashorn.internal.objects.NativeString.class_, _java.lang.Void_ and _void_ and deny several types by name pattern.
```Java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
```
Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:
```Java
xstream.registerConverter(new Converter() {
  public boolean canConvert(Class type) {
    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
        || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))
        || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
  }

  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }

  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }
}, XStream.PRIORITY_LOW);
```
 
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26258.json
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26258.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-26258
reference_id
reference_type
scores
0
value 0.9368
scoring_system epss
scoring_elements 0.99844
published_at 2026-04-02T12:55:00Z
1
value 0.9368
scoring_system epss
scoring_elements 0.99847
published_at 2026-04-21T12:55:00Z
2
value 0.9368
scoring_system epss
scoring_elements 0.99846
published_at 2026-04-18T12:55:00Z
3
value 0.9368
scoring_system epss
scoring_elements 0.99845
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-26258
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
6
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
7
reference_url https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E
9
reference_url https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-26258
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-26258
17
reference_url https://security.netapp.com/advisory/ntap-20210409-0005
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210409-0005
18
reference_url https://www.debian.org/security/2021/dsa-4828
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-4828
19
reference_url https://x-stream.github.io/CVE-2020-26258.html
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2020-26258.html
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1908832
reference_id 1908832
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1908832
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977625
reference_id 977625
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977625
22
reference_url https://github.com/advisories/GHSA-4cch-wxpw-8p28
reference_id GHSA-4cch-wxpw-8p28
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4cch-wxpw-8p28
23
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
24
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
25
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
26
reference_url https://access.redhat.com/errata/RHSA-2021:3205
reference_id RHSA-2021:3205
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3205
27
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
28
reference_url https://usn.ubuntu.com/4714-1/
reference_id USN-4714-1
reference_type
scores
url https://usn.ubuntu.com/4714-1/
29
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
30
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.15
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-6mz4-fu3s-vycx
2
vulnerability VCID-7ma6-2uv1-sbef
3
vulnerability VCID-8gha-n6ke-nucu
4
vulnerability VCID-9442-1vwr-5fbt
5
vulnerability VCID-c5tu-31kw-mfcf
6
vulnerability VCID-dxpe-qmxq-ykax
7
vulnerability VCID-eeye-wfxf-x7cc
8
vulnerability VCID-exrn-u19r-wfd8
9
vulnerability VCID-f779-wcjk-kfc1
10
vulnerability VCID-fcg2-x3s5-wudk
11
vulnerability VCID-hqzr-vc5w-9ff5
12
vulnerability VCID-mfub-hwcq-pqbt
13
vulnerability VCID-na6t-mkxt-3qbw
14
vulnerability VCID-npjx-vkrd-9bae
15
vulnerability VCID-nrf7-heu6-vfdc
16
vulnerability VCID-qh44-75jb-wbhf
17
vulnerability VCID-qvbb-jhkk-2udw
18
vulnerability VCID-qwp5-wae9-cffb
19
vulnerability VCID-re5g-6kjz-q7e8
20
vulnerability VCID-rfc1-r1gr-wffp
21
vulnerability VCID-sqb5-brnu-vfbk
22
vulnerability VCID-u5yy-xx6z-dfh6
23
vulnerability VCID-v7za-zjfx-mqek
24
vulnerability VCID-vpxs-6wcf-ckh9
25
vulnerability VCID-wehr-d623-akaj
26
vulnerability VCID-xdpy-sx55-b3ac
27
vulnerability VCID-xsr8-3cke-33ck
28
vulnerability VCID-yb4j-92y9-nfb5
29
vulnerability VCID-yuwe-6pp1-bke2
30
vulnerability VCID-zm9c-xw64-5qcc
31
vulnerability VCID-zmh2-t17w-wue1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.15
aliases CVE-2020-26258, GHSA-4cch-wxpw-8p28
risk_score 10.0
exploitability 2.0
weighted_severity 6.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hsja-ryzy-7bbx
14
url VCID-mfub-hwcq-pqbt
vulnerability_id VCID-mfub-hwcq-pqbt
summary 
XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow
### Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

### Patches
XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

### Workarounds
The only solution is to catch the StackOverflowError in the client code calling XStream.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html).

### Credits
The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40151.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40151.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-40151
reference_id
reference_type
scores
0
value 0.00258
scoring_system epss
scoring_elements 0.49206
published_at 2026-04-21T12:55:00Z
1
value 0.00258
scoring_system epss
scoring_elements 0.49237
published_at 2026-04-18T12:55:00Z
2
value 0.00258
scoring_system epss
scoring_elements 0.49239
published_at 2026-04-16T12:55:00Z
3
value 0.00258
scoring_system epss
scoring_elements 0.49192
published_at 2026-04-13T12:55:00Z
4
value 0.00258
scoring_system epss
scoring_elements 0.49188
published_at 2026-04-12T12:55:00Z
5
value 0.00258
scoring_system epss
scoring_elements 0.49215
published_at 2026-04-11T12:55:00Z
6
value 0.00258
scoring_system epss
scoring_elements 0.49197
published_at 2026-04-09T12:55:00Z
7
value 0.00258
scoring_system epss
scoring_elements 0.49166
published_at 2026-04-02T12:55:00Z
8
value 0.00258
scoring_system epss
scoring_elements 0.49146
published_at 2026-04-07T12:55:00Z
9
value 0.00258
scoring_system epss
scoring_elements 0.49194
published_at 2026-04-04T12:55:00Z
10
value 0.00258
scoring_system epss
scoring_elements 0.492
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-40151
2
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:18Z/
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
6
reference_url https://github.com/x-stream/xstream/issues/304
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:18Z/
url https://github.com/x-stream/xstream/issues/304
7
reference_url https://github.com/x-stream/xstream/issues/314
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/issues/314
8
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-40151
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-40151
10
reference_url https://x-stream.github.io/CVE-2022-40151.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2022-40151.html
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2134292
reference_id 2134292
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2134292
12
reference_url https://github.com/advisories/GHSA-f8cc-g7j8-xxpm
reference_id GHSA-f8cc-g7j8-xxpm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f8cc-g7j8-xxpm
13
reference_url https://access.redhat.com/errata/RHSA-2023:0469
reference_id RHSA-2023:0469
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0469
14
reference_url https://access.redhat.com/errata/RHSA-2023:2100
reference_id RHSA-2023:2100
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2100
15
reference_url https://access.redhat.com/errata/RHSA-2023:3299
reference_id RHSA-2023:3299
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3299
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fcg2-x3s5-wudk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20
aliases CVE-2022-40151, GHSA-f8cc-g7j8-xxpm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mfub-hwcq-pqbt
15
url VCID-na6t-mkxt-3qbw
vulnerability_id VCID-na6t-mkxt-3qbw
summary 
XStream is vulnerable to a Remote Command Execution attack
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.
references
0
reference_url http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39144.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39144.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39144
reference_id
reference_type
scores
0
value 0.94255
scoring_system epss
scoring_elements 0.99933
published_at 2026-04-13T12:55:00Z
1
value 0.94255
scoring_system epss
scoring_elements 0.99934
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39144
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
16
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
17
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
18
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997772
reference_id 1997772
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997772
33
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id 22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39144
reference_id CVE-2021-39144
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39144
36
reference_url https://x-stream.github.io/CVE-2021-39144.html
reference_id CVE-2021-39144.HTML
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://x-stream.github.io/CVE-2021-39144.html
37
reference_url https://github.com/advisories/GHSA-j9h8-phrw-h4fh
reference_id GHSA-j9h8-phrw-h4fh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j9h8-phrw-h4fh
38
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
reference_id GHSA-j9h8-phrw-h4fh
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
39
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
40
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
41
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
42
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
43
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
44
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
45
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
46
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
47
reference_url https://access.redhat.com/errata/RHSA-2023:1303
reference_id RHSA-2023:1303
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1303
48
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39144, GHSA-j9h8-phrw-h4fh
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-na6t-mkxt-3qbw
16
url VCID-nn7p-d7hz-53d5
vulnerability_id VCID-nn7p-d7hz-53d5
summary XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
references
0
reference_url https://access.redhat.com/errata/RHSA-2017:1832
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2017:1832
1
reference_url https://access.redhat.com/errata/RHSA-2017:2888
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2017:2888
2
reference_url https://access.redhat.com/errata/RHSA-2017:2889
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2017:2889
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7957.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7957.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-7957
reference_id
reference_type
scores
0
value 0.02639
scoring_system epss
scoring_elements 0.85662
published_at 2026-04-04T12:55:00Z
1
value 0.02639
scoring_system epss
scoring_elements 0.857
published_at 2026-04-09T12:55:00Z
2
value 0.02639
scoring_system epss
scoring_elements 0.85689
published_at 2026-04-08T12:55:00Z
3
value 0.02639
scoring_system epss
scoring_elements 0.8571
published_at 2026-04-12T12:55:00Z
4
value 0.02639
scoring_system epss
scoring_elements 0.85707
published_at 2026-04-13T12:55:00Z
5
value 0.02639
scoring_system epss
scoring_elements 0.85729
published_at 2026-04-16T12:55:00Z
6
value 0.02639
scoring_system epss
scoring_elements 0.85733
published_at 2026-04-18T12:55:00Z
7
value 0.02639
scoring_system epss
scoring_elements 0.85728
published_at 2026-04-21T12:55:00Z
8
value 0.02639
scoring_system epss
scoring_elements 0.85645
published_at 2026-04-02T12:55:00Z
9
value 0.02639
scoring_system epss
scoring_elements 0.85714
published_at 2026-04-11T12:55:00Z
10
value 0.02639
scoring_system epss
scoring_elements 0.85633
published_at 2026-04-01T12:55:00Z
11
value 0.02639
scoring_system epss
scoring_elements 0.85669
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-7957
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
6
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/125800
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/125800
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:N/I:N/A:C
1
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
9
reference_url https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab
10
reference_url https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d
11
reference_url https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-7957
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:N/I:N/A:P
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-7957
13
reference_url https://www-prd-trops.events.ibm.com/node/715749
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www-prd-trops.events.ibm.com/node/715749
14
reference_url http://www.debian.org/security/2017/dsa-3841
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2017/dsa-3841
15
reference_url http://www.securityfocus.com/bid/100687
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/100687
16
reference_url http://www.securitytracker.com/id/1039499
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.securitytracker.com/id/1039499
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1441538
reference_id 1441538
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1441538
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521
reference_id 861521
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521
19
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
20
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*
21
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
22
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
23
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
24
reference_url https://access.redhat.com/security/cve/cve-2017-7957
reference_id CVE-2017-7957
reference_type
scores
url https://access.redhat.com/security/cve/cve-2017-7957
25
reference_url https://security-tracker.debian.org/tracker/CVE-2017-7957
reference_id CVE-2017-7957
reference_type
scores
url https://security-tracker.debian.org/tracker/CVE-2017-7957
26
reference_url http://x-stream.github.io/CVE-2017-7957.html
reference_id CVE-2017-7957.HTML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/CVE-2017-7957.html
27
reference_url https://github.com/advisories/GHSA-7hwc-46rm-65jh
reference_id GHSA-7hwc-46rm-65jh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7hwc-46rm-65jh
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.10
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-2t1b-135u-euem
2
vulnerability VCID-6mz4-fu3s-vycx
3
vulnerability VCID-7ma6-2uv1-sbef
4
vulnerability VCID-8gha-n6ke-nucu
5
vulnerability VCID-9442-1vwr-5fbt
6
vulnerability VCID-bdv1-cuyk-sqc1
7
vulnerability VCID-c5tu-31kw-mfcf
8
vulnerability VCID-dxpe-qmxq-ykax
9
vulnerability VCID-eeye-wfxf-x7cc
10
vulnerability VCID-exrn-u19r-wfd8
11
vulnerability VCID-f779-wcjk-kfc1
12
vulnerability VCID-fcg2-x3s5-wudk
13
vulnerability VCID-hqzr-vc5w-9ff5
14
vulnerability VCID-hsja-ryzy-7bbx
15
vulnerability VCID-mfub-hwcq-pqbt
16
vulnerability VCID-na6t-mkxt-3qbw
17
vulnerability VCID-npjx-vkrd-9bae
18
vulnerability VCID-nrf7-heu6-vfdc
19
vulnerability VCID-qh44-75jb-wbhf
20
vulnerability VCID-qvbb-jhkk-2udw
21
vulnerability VCID-qwp5-wae9-cffb
22
vulnerability VCID-re5g-6kjz-q7e8
23
vulnerability VCID-rfc1-r1gr-wffp
24
vulnerability VCID-sqb5-brnu-vfbk
25
vulnerability VCID-u5yy-xx6z-dfh6
26
vulnerability VCID-v7za-zjfx-mqek
27
vulnerability VCID-vn1d-9uf5-gbce
28
vulnerability VCID-vpxs-6wcf-ckh9
29
vulnerability VCID-wehr-d623-akaj
30
vulnerability VCID-xdpy-sx55-b3ac
31
vulnerability VCID-xsr8-3cke-33ck
32
vulnerability VCID-y8ub-2kad-kqbs
33
vulnerability VCID-yb4j-92y9-nfb5
34
vulnerability VCID-yuwe-6pp1-bke2
35
vulnerability VCID-zm9c-xw64-5qcc
36
vulnerability VCID-zmh2-t17w-wue1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.10
aliases CVE-2017-7957, GHSA-7hwc-46rm-65jh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nn7p-d7hz-53d5
17
url VCID-npjx-vkrd-9bae
vulnerability_id VCID-npjx-vkrd-9bae
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39141.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39141.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39141
reference_id
reference_type
scores
0
value 0.81843
scoring_system epss
scoring_elements 0.99201
published_at 2026-04-21T12:55:00Z
1
value 0.81843
scoring_system epss
scoring_elements 0.99199
published_at 2026-04-16T12:55:00Z
2
value 0.81843
scoring_system epss
scoring_elements 0.99198
published_at 2026-04-12T12:55:00Z
3
value 0.81843
scoring_system epss
scoring_elements 0.99197
published_at 2026-04-13T12:55:00Z
4
value 0.81843
scoring_system epss
scoring_elements 0.99196
published_at 2026-04-07T12:55:00Z
5
value 0.81843
scoring_system epss
scoring_elements 0.99192
published_at 2026-04-04T12:55:00Z
6
value 0.81843
scoring_system epss
scoring_elements 0.9919
published_at 2026-04-02T12:55:00Z
7
value 0.81843
scoring_system epss
scoring_elements 0.99188
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39141
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997769
reference_id 1997769
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997769
33
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
34
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39141
reference_id CVE-2021-39141
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39141
35
reference_url https://x-stream.github.io/CVE-2021-39141.html
reference_id CVE-2021-39141.HTML
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39141.html
36
reference_url https://github.com/advisories/GHSA-g5w6-mrj7-75h2
reference_id GHSA-g5w6-mrj7-75h2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g5w6-mrj7-75h2
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39141, GHSA-g5w6-mrj7-75h2
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-npjx-vkrd-9bae
18
url VCID-nrf7-heu6-vfdc
vulnerability_id VCID-nrf7-heu6-vfdc
summary 
XStream is vulnerable to an Arbitrary Code Execution attack
### Impact
The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21344](https://x-stream.github.io/CVE-2021-21344.html).

### Credits
钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21344.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21344.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21344
reference_id
reference_type
scores
0
value 0.30602
scoring_system epss
scoring_elements 0.96727
published_at 2026-04-21T12:55:00Z
1
value 0.30602
scoring_system epss
scoring_elements 0.96724
published_at 2026-04-18T12:55:00Z
2
value 0.30602
scoring_system epss
scoring_elements 0.96682
published_at 2026-04-01T12:55:00Z
3
value 0.30602
scoring_system epss
scoring_elements 0.9672
published_at 2026-04-16T12:55:00Z
4
value 0.30602
scoring_system epss
scoring_elements 0.96714
published_at 2026-04-13T12:55:00Z
5
value 0.30602
scoring_system epss
scoring_elements 0.96711
published_at 2026-04-12T12:55:00Z
6
value 0.30602
scoring_system epss
scoring_elements 0.96708
published_at 2026-04-09T12:55:00Z
7
value 0.30602
scoring_system epss
scoring_elements 0.96706
published_at 2026-04-08T12:55:00Z
8
value 0.30602
scoring_system epss
scoring_elements 0.96699
published_at 2026-04-07T12:55:00Z
9
value 0.30602
scoring_system epss
scoring_elements 0.96694
published_at 2026-04-04T12:55:00Z
10
value 0.30602
scoring_system epss
scoring_elements 0.96693
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21344
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21344
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21344
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21344.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21344.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942554
reference_id 1942554
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942554
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-59jw-jqf4-3wq3
reference_id GHSA-59jw-jqf4-3wq3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-59jw-jqf4-3wq3
28
reference_url https://access.redhat.com/errata/RHSA-2021:1354
reference_id RHSA-2021:1354
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1354
29
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
30
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
31
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
32
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
33
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
34
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
35
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
36
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21344, GHSA-59jw-jqf4-3wq3
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nrf7-heu6-vfdc
19
url VCID-qh44-75jb-wbhf
vulnerability_id VCID-qh44-75jb-wbhf
summary 
XStream is vulnerable to a Remote Command Execution attack
### Impact
The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21345](https://x-stream.github.io/CVE-2021-21345.html).

### Credits
钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21345.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21345.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21345
reference_id
reference_type
scores
0
value 0.88091
scoring_system epss
scoring_elements 0.99489
published_at 2026-04-21T12:55:00Z
1
value 0.88091
scoring_system epss
scoring_elements 0.99488
published_at 2026-04-18T12:55:00Z
2
value 0.88091
scoring_system epss
scoring_elements 0.99486
published_at 2026-04-13T12:55:00Z
3
value 0.88091
scoring_system epss
scoring_elements 0.99479
published_at 2026-04-02T12:55:00Z
4
value 0.88091
scoring_system epss
scoring_elements 0.99483
published_at 2026-04-07T12:55:00Z
5
value 0.88091
scoring_system epss
scoring_elements 0.99481
published_at 2026-04-04T12:55:00Z
6
value 0.88091
scoring_system epss
scoring_elements 0.99484
published_at 2026-04-08T12:55:00Z
7
value 0.88091
scoring_system epss
scoring_elements 0.99485
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21345
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21345
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21345
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpuApr2021.html
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuApr2021.html
20
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
21
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
22
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
23
reference_url https://x-stream.github.io/CVE-2021-21345.html
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21345.html
24
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
25
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
26
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942558
reference_id 1942558
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942558
27
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
28
reference_url https://github.com/advisories/GHSA-hwpc-8xqv-jvj4
reference_id GHSA-hwpc-8xqv-jvj4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hwpc-8xqv-jvj4
29
reference_url https://access.redhat.com/errata/RHSA-2021:1354
reference_id RHSA-2021:1354
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1354
30
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
31
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
32
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
33
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
34
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
35
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
36
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
37
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21345, GHSA-hwpc-8xqv-jvj4
risk_score 10.0
exploitability 2.0
weighted_severity 7.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qh44-75jb-wbhf
20
url VCID-qvbb-jhkk-2udw
vulnerability_id VCID-qvbb-jhkk-2udw
summary 
XStream is vulnerable to a Remote Command Execution attack
### Impact
The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-29505](https://x-stream.github.io/CVE-2021-29505.html).

### Credits

V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Email us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29505.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29505.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29505
reference_id
reference_type
scores
0
value 0.90769
scoring_system epss
scoring_elements 0.99627
published_at 2026-04-21T12:55:00Z
1
value 0.90769
scoring_system epss
scoring_elements 0.99626
published_at 2026-04-16T12:55:00Z
2
value 0.90769
scoring_system epss
scoring_elements 0.99625
published_at 2026-04-18T12:55:00Z
3
value 0.90769
scoring_system epss
scoring_elements 0.99624
published_at 2026-04-07T12:55:00Z
4
value 0.90769
scoring_system epss
scoring_elements 0.99623
published_at 2026-04-04T12:55:00Z
5
value 0.90769
scoring_system epss
scoring_elements 0.99622
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29505
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
6
reference_url https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
7
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
8
reference_url https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
9
reference_url https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E
10
reference_url https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29505
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29505
18
reference_url https://security.netapp.com/advisory/ntap-20210708-0007
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210708-0007
19
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
20
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
21
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
22
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
23
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
24
reference_url https://x-stream.github.io/CVE-2021-29505.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-29505.html
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1966735
reference_id 1966735
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1966735
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989491
reference_id 989491
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989491
27
reference_url https://github.com/advisories/GHSA-7chv-rrw6-w6fc
reference_id GHSA-7chv-rrw6-w6fc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7chv-rrw6-w6fc
28
reference_url https://access.redhat.com/errata/RHSA-2021:2683
reference_id RHSA-2021:2683
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2683
29
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
30
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
31
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
32
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
33
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
34
reference_url https://access.redhat.com/errata/RHSA-2022:5532
reference_id RHSA-2022:5532
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5532
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.17
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-rfc1-r1gr-wffp
15
vulnerability VCID-v7za-zjfx-mqek
16
vulnerability VCID-wehr-d623-akaj
17
vulnerability VCID-xsr8-3cke-33ck
18
vulnerability VCID-yb4j-92y9-nfb5
19
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.17
aliases CVE-2021-29505, GHSA-7chv-rrw6-w6fc
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qvbb-jhkk-2udw
21
url VCID-qwp5-wae9-cffb
vulnerability_id VCID-qwp5-wae9-cffb
summary 
XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
### Impact
The vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21348](https://x-stream.github.io/CVE-2021-21348.html).

### Credits
The vulnerability was discovered and reported by threedr3am.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21348.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21348.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21348
reference_id
reference_type
scores
0
value 0.00256
scoring_system epss
scoring_elements 0.48963
published_at 2026-04-21T12:55:00Z
1
value 0.00256
scoring_system epss
scoring_elements 0.49002
published_at 2026-04-18T12:55:00Z
2
value 0.00256
scoring_system epss
scoring_elements 0.48894
published_at 2026-04-01T12:55:00Z
3
value 0.00256
scoring_system epss
scoring_elements 0.49006
published_at 2026-04-16T12:55:00Z
4
value 0.00256
scoring_system epss
scoring_elements 0.48959
published_at 2026-04-13T12:55:00Z
5
value 0.00256
scoring_system epss
scoring_elements 0.48952
published_at 2026-04-12T12:55:00Z
6
value 0.00256
scoring_system epss
scoring_elements 0.48978
published_at 2026-04-11T12:55:00Z
7
value 0.00256
scoring_system epss
scoring_elements 0.48961
published_at 2026-04-09T12:55:00Z
8
value 0.00256
scoring_system epss
scoring_elements 0.48964
published_at 2026-04-08T12:55:00Z
9
value 0.00256
scoring_system epss
scoring_elements 0.4891
published_at 2026-04-07T12:55:00Z
10
value 0.00256
scoring_system epss
scoring_elements 0.48956
published_at 2026-04-04T12:55:00Z
11
value 0.00256
scoring_system epss
scoring_elements 0.4893
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21348
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvq
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvq
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21348
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21348
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21348.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21348.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942633
reference_id 1942633
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942633
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-56p8-3fh9-4cvq
reference_id GHSA-56p8-3fh9-4cvq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-56p8-3fh9-4cvq
28
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
29
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
30
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
31
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
32
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
33
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
34
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
35
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21348, GHSA-56p8-3fh9-4cvq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qwp5-wae9-cffb
22
url VCID-re5g-6kjz-q7e8
vulnerability_id VCID-re5g-6kjz-q7e8
summary 
XStream is vulnerable to an Arbitrary Code Execution attack
### Impact
The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21351](https://x-stream.github.io/CVE-2021-21351.html).

### Credits
wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21351.json
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21351.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21351
reference_id
reference_type
scores
0
value 0.92
scoring_system epss
scoring_elements 0.99704
published_at 2026-04-21T12:55:00Z
1
value 0.92
scoring_system epss
scoring_elements 0.99701
published_at 2026-04-18T12:55:00Z
2
value 0.92
scoring_system epss
scoring_elements 0.99695
published_at 2026-04-02T12:55:00Z
3
value 0.92
scoring_system epss
scoring_elements 0.997
published_at 2026-04-16T12:55:00Z
4
value 0.92
scoring_system epss
scoring_elements 0.99699
published_at 2026-04-13T12:55:00Z
5
value 0.92
scoring_system epss
scoring_elements 0.99698
published_at 2026-04-09T12:55:00Z
6
value 0.92
scoring_system epss
scoring_elements 0.99697
published_at 2026-04-07T12:55:00Z
7
value 0.92
scoring_system epss
scoring_elements 0.99696
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21351
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21351
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21351
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21351.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21351.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942642
reference_id 1942642
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942642
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-hrcp-8f3q-4w2c
reference_id GHSA-hrcp-8f3q-4w2c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hrcp-8f3q-4w2c
28
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
29
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
30
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
31
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
32
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
33
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
34
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
35
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21351, GHSA-hrcp-8f3q-4w2c
risk_score 10.0
exploitability 2.0
weighted_severity 7.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-re5g-6kjz-q7e8
23
url VCID-rfc1-r1gr-wffp
vulnerability_id VCID-rfc1-r1gr-wffp
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39151.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39151.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39151
reference_id
reference_type
scores
0
value 0.00708
scoring_system epss
scoring_elements 0.72222
published_at 2026-04-21T12:55:00Z
1
value 0.00708
scoring_system epss
scoring_elements 0.72236
published_at 2026-04-18T12:55:00Z
2
value 0.00708
scoring_system epss
scoring_elements 0.72226
published_at 2026-04-16T12:55:00Z
3
value 0.00708
scoring_system epss
scoring_elements 0.72185
published_at 2026-04-13T12:55:00Z
4
value 0.00708
scoring_system epss
scoring_elements 0.72199
published_at 2026-04-12T12:55:00Z
5
value 0.00708
scoring_system epss
scoring_elements 0.72214
published_at 2026-04-11T12:55:00Z
6
value 0.00708
scoring_system epss
scoring_elements 0.72192
published_at 2026-04-09T12:55:00Z
7
value 0.00708
scoring_system epss
scoring_elements 0.7218
published_at 2026-04-08T12:55:00Z
8
value 0.00708
scoring_system epss
scoring_elements 0.72143
published_at 2026-04-07T12:55:00Z
9
value 0.00708
scoring_system epss
scoring_elements 0.72166
published_at 2026-04-04T12:55:00Z
10
value 0.00708
scoring_system epss
scoring_elements 0.72145
published_at 2026-04-02T12:55:00Z
11
value 0.00708
scoring_system epss
scoring_elements 0.7214
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39151
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39151.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39151.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997791
reference_id 1997791
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997791
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39151
reference_id CVE-2021-39151
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39151
36
reference_url https://github.com/advisories/GHSA-hph2-m3g5-xxv4
reference_id GHSA-hph2-m3g5-xxv4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hph2-m3g5-xxv4
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39151, GHSA-hph2-m3g5-xxv4
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rfc1-r1gr-wffp
24
url VCID-sqb5-brnu-vfbk
vulnerability_id VCID-sqb5-brnu-vfbk
summary 
XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights
### Impact
The processed stream at unmarshalling time contains type information to recreate the formerly written objects.  XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21343](https://x-stream.github.io/CVE-2021-21343.html).

### Credits
钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21343.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21343.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21343
reference_id
reference_type
scores
0
value 0.00623
scoring_system epss
scoring_elements 0.70168
published_at 2026-04-21T12:55:00Z
1
value 0.00623
scoring_system epss
scoring_elements 0.7019
published_at 2026-04-18T12:55:00Z
2
value 0.00623
scoring_system epss
scoring_elements 0.70073
published_at 2026-04-01T12:55:00Z
3
value 0.00623
scoring_system epss
scoring_elements 0.70181
published_at 2026-04-16T12:55:00Z
4
value 0.00623
scoring_system epss
scoring_elements 0.70137
published_at 2026-04-13T12:55:00Z
5
value 0.00623
scoring_system epss
scoring_elements 0.7015
published_at 2026-04-12T12:55:00Z
6
value 0.00623
scoring_system epss
scoring_elements 0.70164
published_at 2026-04-11T12:55:00Z
7
value 0.00623
scoring_system epss
scoring_elements 0.70141
published_at 2026-04-09T12:55:00Z
8
value 0.00623
scoring_system epss
scoring_elements 0.70125
published_at 2026-04-08T12:55:00Z
9
value 0.00623
scoring_system epss
scoring_elements 0.70078
published_at 2026-04-07T12:55:00Z
10
value 0.00623
scoring_system epss
scoring_elements 0.70101
published_at 2026-04-04T12:55:00Z
11
value 0.00623
scoring_system epss
scoring_elements 0.70086
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21343
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21343
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21343
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21343.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21343.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942550
reference_id 1942550
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942550
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-74cv-f58x-f9wf
reference_id GHSA-74cv-f58x-f9wf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-74cv-f58x-f9wf
28
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
29
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
30
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
31
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
32
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
33
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
34
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
35
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21343, GHSA-74cv-f58x-f9wf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sqb5-brnu-vfbk
25
url VCID-u5yy-xx6z-dfh6
vulnerability_id VCID-u5yy-xx6z-dfh6
summary 
A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
### Impact
The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21349](https://x-stream.github.io/CVE-2021-21349.html).

### Credits
The vulnerability was discovered and reported by threedr3am.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21349.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21349.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21349
reference_id
reference_type
scores
0
value 0.06747
scoring_system epss
scoring_elements 0.91314
published_at 2026-04-21T12:55:00Z
1
value 0.06747
scoring_system epss
scoring_elements 0.91312
published_at 2026-04-18T12:55:00Z
2
value 0.06747
scoring_system epss
scoring_elements 0.91239
published_at 2026-04-01T12:55:00Z
3
value 0.06747
scoring_system epss
scoring_elements 0.91313
published_at 2026-04-16T12:55:00Z
4
value 0.06747
scoring_system epss
scoring_elements 0.91288
published_at 2026-04-13T12:55:00Z
5
value 0.06747
scoring_system epss
scoring_elements 0.91289
published_at 2026-04-12T12:55:00Z
6
value 0.06747
scoring_system epss
scoring_elements 0.91286
published_at 2026-04-11T12:55:00Z
7
value 0.06747
scoring_system epss
scoring_elements 0.91279
published_at 2026-04-09T12:55:00Z
8
value 0.06747
scoring_system epss
scoring_elements 0.91272
published_at 2026-04-08T12:55:00Z
9
value 0.06747
scoring_system epss
scoring_elements 0.9126
published_at 2026-04-07T12:55:00Z
10
value 0.06747
scoring_system epss
scoring_elements 0.91253
published_at 2026-04-04T12:55:00Z
11
value 0.06747
scoring_system epss
scoring_elements 0.91243
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21349
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21349
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21349
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21349.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21349.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942635
reference_id 1942635
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942635
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-f6hm-88x3-mfjv
reference_id GHSA-f6hm-88x3-mfjv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f6hm-88x3-mfjv
28
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
29
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
30
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
31
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
32
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
33
reference_url https://access.redhat.com/errata/RHSA-2022:1029
reference_id RHSA-2022:1029
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:1029
34
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
35
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21349, GHSA-f6hm-88x3-mfjv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5yy-xx6z-dfh6
26
url VCID-v7za-zjfx-mqek
vulnerability_id VCID-v7za-zjfx-mqek
summary 
Server-Side Request Forgery (SSRF)
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39152.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39152.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39152
reference_id
reference_type
scores
0
value 0.61765
scoring_system epss
scoring_elements 0.98341
published_at 2026-04-21T12:55:00Z
1
value 0.61765
scoring_system epss
scoring_elements 0.98342
published_at 2026-04-18T12:55:00Z
2
value 0.61765
scoring_system epss
scoring_elements 0.98337
published_at 2026-04-13T12:55:00Z
3
value 0.61765
scoring_system epss
scoring_elements 0.98336
published_at 2026-04-11T12:55:00Z
4
value 0.61765
scoring_system epss
scoring_elements 0.98333
published_at 2026-04-09T12:55:00Z
5
value 0.61765
scoring_system epss
scoring_elements 0.98328
published_at 2026-04-07T12:55:00Z
6
value 0.61765
scoring_system epss
scoring_elements 0.98325
published_at 2026-04-04T12:55:00Z
7
value 0.61765
scoring_system epss
scoring_elements 0.98323
published_at 2026-04-02T12:55:00Z
8
value 0.61765
scoring_system epss
scoring_elements 0.98321
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39152
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39152.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39152.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997793
reference_id 1997793
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997793
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39152
reference_id CVE-2021-39152
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39152
36
reference_url https://github.com/advisories/GHSA-xw4p-crpj-vjx2
reference_id GHSA-xw4p-crpj-vjx2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xw4p-crpj-vjx2
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39152, GHSA-xw4p-crpj-vjx2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v7za-zjfx-mqek
27
url VCID-vn1d-9uf5-gbce
vulnerability_id VCID-vn1d-9uf5-gbce
summary 
XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling
### Impact
The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.15.

### Workarounds
The reported vulnerability does only exist with a JAX-WS runtime on the classpath.

No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.

Users of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.

Users of XStream 1.4.14 can simply add two lines to XStream's setup code:
```Java
xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
```

Users of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:
```Java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
```
Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _jdk.nashorn.internal.objects.NativeString.class_, _java.lang.Void_ and _void_ and deny several types by name pattern.
```Java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
```
Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:
```Java
xstream.registerConverter(new Converter() {
  public boolean canConvert(Class type) {
    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
        || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))
        || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
  }

  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }

  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }
}, XStream.PRIORITY_LOW);
```
  
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26259.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26259.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-26259
reference_id
reference_type
scores
0
value 0.8887
scoring_system epss
scoring_elements 0.99524
published_at 2026-04-21T12:55:00Z
1
value 0.8887
scoring_system epss
scoring_elements 0.99522
published_at 2026-04-18T12:55:00Z
2
value 0.8887
scoring_system epss
scoring_elements 0.99521
published_at 2026-04-16T12:55:00Z
3
value 0.8887
scoring_system epss
scoring_elements 0.99516
published_at 2026-04-01T12:55:00Z
4
value 0.8887
scoring_system epss
scoring_elements 0.99519
published_at 2026-04-13T12:55:00Z
5
value 0.8887
scoring_system epss
scoring_elements 0.99518
published_at 2026-04-08T12:55:00Z
6
value 0.8887
scoring_system epss
scoring_elements 0.99517
published_at 2026-04-07T12:55:00Z
7
value 0.8887
scoring_system epss
scoring_elements 0.99515
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-26259
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
6
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
7
reference_url https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-26259
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-26259
16
reference_url https://security.netapp.com/advisory/ntap-20210409-0005
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210409-0005
17
reference_url https://security.netapp.com/advisory/ntap-20210409-0005/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210409-0005/
18
reference_url https://www.debian.org/security/2021/dsa-4828
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-4828
19
reference_url https://x-stream.github.io/CVE-2020-26259.html
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2020-26259.html
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1908837
reference_id 1908837
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1908837
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977624
reference_id 977624
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977624
22
reference_url https://github.com/advisories/GHSA-jfvx-7wrx-43fh
reference_id GHSA-jfvx-7wrx-43fh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jfvx-7wrx-43fh
23
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
24
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
25
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
26
reference_url https://access.redhat.com/errata/RHSA-2021:3205
reference_id RHSA-2021:3205
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3205
27
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
28
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
29
reference_url https://usn.ubuntu.com/4714-1/
reference_id USN-4714-1
reference_type
scores
url https://usn.ubuntu.com/4714-1/
30
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
31
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.15
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-6mz4-fu3s-vycx
2
vulnerability VCID-7ma6-2uv1-sbef
3
vulnerability VCID-8gha-n6ke-nucu
4
vulnerability VCID-9442-1vwr-5fbt
5
vulnerability VCID-c5tu-31kw-mfcf
6
vulnerability VCID-dxpe-qmxq-ykax
7
vulnerability VCID-eeye-wfxf-x7cc
8
vulnerability VCID-exrn-u19r-wfd8
9
vulnerability VCID-f779-wcjk-kfc1
10
vulnerability VCID-fcg2-x3s5-wudk
11
vulnerability VCID-hqzr-vc5w-9ff5
12
vulnerability VCID-mfub-hwcq-pqbt
13
vulnerability VCID-na6t-mkxt-3qbw
14
vulnerability VCID-npjx-vkrd-9bae
15
vulnerability VCID-nrf7-heu6-vfdc
16
vulnerability VCID-qh44-75jb-wbhf
17
vulnerability VCID-qvbb-jhkk-2udw
18
vulnerability VCID-qwp5-wae9-cffb
19
vulnerability VCID-re5g-6kjz-q7e8
20
vulnerability VCID-rfc1-r1gr-wffp
21
vulnerability VCID-sqb5-brnu-vfbk
22
vulnerability VCID-u5yy-xx6z-dfh6
23
vulnerability VCID-v7za-zjfx-mqek
24
vulnerability VCID-vpxs-6wcf-ckh9
25
vulnerability VCID-wehr-d623-akaj
26
vulnerability VCID-xdpy-sx55-b3ac
27
vulnerability VCID-xsr8-3cke-33ck
28
vulnerability VCID-yb4j-92y9-nfb5
29
vulnerability VCID-yuwe-6pp1-bke2
30
vulnerability VCID-zm9c-xw64-5qcc
31
vulnerability VCID-zmh2-t17w-wue1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.15
aliases CVE-2020-26259, GHSA-jfvx-7wrx-43fh
risk_score 10.0
exploitability 2.0
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vn1d-9uf5-gbce
28
url VCID-vpxs-6wcf-ckh9
vulnerability_id VCID-vpxs-6wcf-ckh9
summary 
XStream is vulnerable to an Arbitrary Code Execution attack
### Impact
The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21346](https://x-stream.github.io/CVE-2021-21346.html).

### Credits
wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21346.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21346.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21346
reference_id
reference_type
scores
0
value 0.03665
scoring_system epss
scoring_elements 0.8791
published_at 2026-04-21T12:55:00Z
1
value 0.03665
scoring_system epss
scoring_elements 0.87911
published_at 2026-04-18T12:55:00Z
2
value 0.03665
scoring_system epss
scoring_elements 0.8784
published_at 2026-04-01T12:55:00Z
3
value 0.03665
scoring_system epss
scoring_elements 0.87912
published_at 2026-04-16T12:55:00Z
4
value 0.03665
scoring_system epss
scoring_elements 0.87898
published_at 2026-04-13T12:55:00Z
5
value 0.03665
scoring_system epss
scoring_elements 0.87899
published_at 2026-04-12T12:55:00Z
6
value 0.03665
scoring_system epss
scoring_elements 0.87906
published_at 2026-04-11T12:55:00Z
7
value 0.03665
scoring_system epss
scoring_elements 0.87894
published_at 2026-04-09T12:55:00Z
8
value 0.03665
scoring_system epss
scoring_elements 0.87888
published_at 2026-04-08T12:55:00Z
9
value 0.03665
scoring_system epss
scoring_elements 0.87866
published_at 2026-04-07T12:55:00Z
10
value 0.03665
scoring_system epss
scoring_elements 0.87863
published_at 2026-04-04T12:55:00Z
11
value 0.03665
scoring_system epss
scoring_elements 0.8785
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21346
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21346
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21346
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21346.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21346.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942578
reference_id 1942578
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942578
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-4hrm-m67v-5cxr
reference_id GHSA-4hrm-m67v-5cxr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4hrm-m67v-5cxr
28
reference_url https://access.redhat.com/errata/RHSA-2021:1354
reference_id RHSA-2021:1354
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1354
29
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
30
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
31
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
32
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
33
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
34
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
35
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
36
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21346, GHSA-4hrm-m67v-5cxr
risk_score 3.6
exploitability 0.5
weighted_severity 7.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vpxs-6wcf-ckh9
29
url VCID-wehr-d623-akaj
vulnerability_id VCID-wehr-d623-akaj
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to allocate % CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39140.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39140.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39140
reference_id
reference_type
scores
0
value 0.00138
scoring_system epss
scoring_elements 0.33938
published_at 2026-04-21T12:55:00Z
1
value 0.00138
scoring_system epss
scoring_elements 0.3397
published_at 2026-04-18T12:55:00Z
2
value 0.00138
scoring_system epss
scoring_elements 0.34053
published_at 2026-04-02T12:55:00Z
3
value 0.00138
scoring_system epss
scoring_elements 0.3371
published_at 2026-04-01T12:55:00Z
4
value 0.00138
scoring_system epss
scoring_elements 0.33972
published_at 2026-04-12T12:55:00Z
5
value 0.00138
scoring_system epss
scoring_elements 0.33948
published_at 2026-04-13T12:55:00Z
6
value 0.00138
scoring_system epss
scoring_elements 0.34083
published_at 2026-04-04T12:55:00Z
7
value 0.00138
scoring_system epss
scoring_elements 0.33942
published_at 2026-04-07T12:55:00Z
8
value 0.00138
scoring_system epss
scoring_elements 0.33984
published_at 2026-04-16T12:55:00Z
9
value 0.00138
scoring_system epss
scoring_elements 0.34015
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39140
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39140.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39140.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997765
reference_id 1997765
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997765
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39140
reference_id CVE-2021-39140
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39140
36
reference_url https://github.com/advisories/GHSA-6wf9-jmg9-vxcc
reference_id GHSA-6wf9-jmg9-vxcc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6wf9-jmg9-vxcc
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39140, GHSA-6wf9-jmg9-vxcc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wehr-d623-akaj
30
url VCID-xdpy-sx55-b3ac
vulnerability_id VCID-xdpy-sx55-b3ac
summary 
XStream is vulnerable to an Arbitrary Code Execution attack
### Impact
The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21347](https://x-stream.github.io/CVE-2021-21347.html).

### Credits
The vulnerability was discovered and reported by threedr3am.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21347.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21347.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21347
reference_id
reference_type
scores
0
value 0.03287
scoring_system epss
scoring_elements 0.87208
published_at 2026-04-21T12:55:00Z
1
value 0.03287
scoring_system epss
scoring_elements 0.87215
published_at 2026-04-18T12:55:00Z
2
value 0.03287
scoring_system epss
scoring_elements 0.8714
published_at 2026-04-01T12:55:00Z
3
value 0.03287
scoring_system epss
scoring_elements 0.8721
published_at 2026-04-16T12:55:00Z
4
value 0.03287
scoring_system epss
scoring_elements 0.87194
published_at 2026-04-13T12:55:00Z
5
value 0.03287
scoring_system epss
scoring_elements 0.87199
published_at 2026-04-12T12:55:00Z
6
value 0.03287
scoring_system epss
scoring_elements 0.87205
published_at 2026-04-11T12:55:00Z
7
value 0.03287
scoring_system epss
scoring_elements 0.87191
published_at 2026-04-09T12:55:00Z
8
value 0.03287
scoring_system epss
scoring_elements 0.87185
published_at 2026-04-08T12:55:00Z
9
value 0.03287
scoring_system epss
scoring_elements 0.87165
published_at 2026-04-07T12:55:00Z
10
value 0.03287
scoring_system epss
scoring_elements 0.87168
published_at 2026-04-04T12:55:00Z
11
value 0.03287
scoring_system epss
scoring_elements 0.87151
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21347
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21347
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21347
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21347.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21347.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942629
reference_id 1942629
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942629
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-qpfq-ph7r-qv6f
reference_id GHSA-qpfq-ph7r-qv6f
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qpfq-ph7r-qv6f
28
reference_url https://access.redhat.com/errata/RHSA-2021:1354
reference_id RHSA-2021:1354
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1354
29
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
30
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
31
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
32
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
33
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
34
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
35
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
36
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21347, GHSA-qpfq-ph7r-qv6f
risk_score 3.6
exploitability 0.5
weighted_severity 7.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xdpy-sx55-b3ac
31
url VCID-xsr8-3cke-33ck
vulnerability_id VCID-xsr8-3cke-33ck
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39149.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39149.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39149
reference_id
reference_type
scores
0
value 0.00708
scoring_system epss
scoring_elements 0.72222
published_at 2026-04-21T12:55:00Z
1
value 0.00708
scoring_system epss
scoring_elements 0.72236
published_at 2026-04-18T12:55:00Z
2
value 0.00708
scoring_system epss
scoring_elements 0.72226
published_at 2026-04-16T12:55:00Z
3
value 0.00708
scoring_system epss
scoring_elements 0.72185
published_at 2026-04-13T12:55:00Z
4
value 0.00708
scoring_system epss
scoring_elements 0.72199
published_at 2026-04-12T12:55:00Z
5
value 0.00708
scoring_system epss
scoring_elements 0.72214
published_at 2026-04-11T12:55:00Z
6
value 0.00708
scoring_system epss
scoring_elements 0.72192
published_at 2026-04-09T12:55:00Z
7
value 0.00708
scoring_system epss
scoring_elements 0.7218
published_at 2026-04-08T12:55:00Z
8
value 0.00708
scoring_system epss
scoring_elements 0.72143
published_at 2026-04-07T12:55:00Z
9
value 0.00708
scoring_system epss
scoring_elements 0.72166
published_at 2026-04-04T12:55:00Z
10
value 0.00708
scoring_system epss
scoring_elements 0.72145
published_at 2026-04-02T12:55:00Z
11
value 0.00708
scoring_system epss
scoring_elements 0.7214
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39149
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://x-stream.github.io/CVE-2021-39149.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39149.html
33
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997784
reference_id 1997784
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997784
34
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39149
reference_id CVE-2021-39149
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39149
36
reference_url https://github.com/advisories/GHSA-3ccq-5vw3-2p6x
reference_id GHSA-3ccq-5vw3-2p6x
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3ccq-5vw3-2p6x
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39149, GHSA-3ccq-5vw3-2p6x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xsr8-3cke-33ck
32
url VCID-y8ub-2kad-kqbs
vulnerability_id VCID-y8ub-2kad-kqbs
summary Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
references
0
reference_url http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-7285.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-7285.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-7285
reference_id
reference_type
scores
0
value 0.14817
scoring_system epss
scoring_elements 0.94527
published_at 2026-04-18T12:55:00Z
1
value 0.14817
scoring_system epss
scoring_elements 0.94522
published_at 2026-04-16T12:55:00Z
2
value 0.14817
scoring_system epss
scoring_elements 0.94508
published_at 2026-04-13T12:55:00Z
3
value 0.14817
scoring_system epss
scoring_elements 0.94509
published_at 2026-04-12T12:55:00Z
4
value 0.14817
scoring_system epss
scoring_elements 0.94507
published_at 2026-04-11T12:55:00Z
5
value 0.14817
scoring_system epss
scoring_elements 0.94503
published_at 2026-04-09T12:55:00Z
6
value 0.14817
scoring_system epss
scoring_elements 0.945
published_at 2026-04-08T12:55:00Z
7
value 0.14817
scoring_system epss
scoring_elements 0.9449
published_at 2026-04-07T12:55:00Z
8
value 0.14817
scoring_system epss
scoring_elements 0.94488
published_at 2026-04-04T12:55:00Z
9
value 0.14817
scoring_system epss
scoring_elements 0.9448
published_at 2026-04-02T12:55:00Z
10
value 0.14817
scoring_system epss
scoring_elements 0.94473
published_at 2026-04-01T12:55:00Z
11
value 0.14817
scoring_system epss
scoring_elements 0.94531
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-7285
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
4
reference_url http://seclists.org/oss-sec/2014/q1/69
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://seclists.org/oss-sec/2014/q1/69
5
reference_url https://fisheye.codehaus.org/changelog/xstream?cs=2210
reference_id
reference_type
scores
url https://fisheye.codehaus.org/changelog/xstream?cs=2210
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d
8
reference_url https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
9
reference_url https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-7285
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-7285
11
reference_url https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
12
reference_url https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
13
reference_url https://www.oracle.com/security-alerts/cpuoct2020.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2020.html
14
reference_url https://x-stream.github.io/CVE-2013-7285.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2013-7285.html
15
reference_url http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1051277
reference_id 1051277
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1051277
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821
reference_id 734821
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821
18
reference_url https://bugzilla.redhat.com/CVE-2013-7285
reference_id CVE-2013-7285
reference_type
scores
url https://bugzilla.redhat.com/CVE-2013-7285
19
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/39193.txt
reference_id CVE-2013-7285;OSVDB-102253
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/39193.txt
20
reference_url https://github.com/advisories/GHSA-f554-x222-wgf7
reference_id GHSA-f554-x222-wgf7
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f554-x222-wgf7
21
reference_url https://security.gentoo.org/glsa/201612-35
reference_id GLSA-201612-35
reference_type
scores
url https://security.gentoo.org/glsa/201612-35
22
reference_url https://access.redhat.com/errata/RHSA-2014:0216
reference_id RHSA-2014:0216
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0216
23
reference_url https://access.redhat.com/errata/RHSA-2014:0294
reference_id RHSA-2014:0294
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0294
24
reference_url https://access.redhat.com/errata/RHSA-2014:0323
reference_id RHSA-2014:0323
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0323
25
reference_url https://access.redhat.com/errata/RHSA-2014:0374
reference_id RHSA-2014:0374
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0374
26
reference_url https://access.redhat.com/errata/RHSA-2014:0389
reference_id RHSA-2014:0389
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0389
27
reference_url https://access.redhat.com/errata/RHSA-2014:0452
reference_id RHSA-2014:0452
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0452
28
reference_url https://access.redhat.com/errata/RHSA-2014:1007
reference_id RHSA-2014:1007
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:1007
29
reference_url https://access.redhat.com/errata/RHSA-2014:1059
reference_id RHSA-2014:1059
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:1059
30
reference_url https://access.redhat.com/errata/RHSA-2015:1009
reference_id RHSA-2015:1009
reference_type
scores
url https://access.redhat.com/errata/RHSA-2015:1009
31
reference_url https://access.redhat.com/errata/RHSA-2015:1888
reference_id RHSA-2015:1888
reference_type
scores
url https://access.redhat.com/errata/RHSA-2015:1888
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.7
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-2t1b-135u-euem
2
vulnerability VCID-6mz4-fu3s-vycx
3
vulnerability VCID-7ma6-2uv1-sbef
4
vulnerability VCID-8gha-n6ke-nucu
5
vulnerability VCID-9442-1vwr-5fbt
6
vulnerability VCID-c5tu-31kw-mfcf
7
vulnerability VCID-dxpe-qmxq-ykax
8
vulnerability VCID-eeye-wfxf-x7cc
9
vulnerability VCID-exrn-u19r-wfd8
10
vulnerability VCID-f779-wcjk-kfc1
11
vulnerability VCID-fcg2-x3s5-wudk
12
vulnerability VCID-hqzr-vc5w-9ff5
13
vulnerability VCID-hsja-ryzy-7bbx
14
vulnerability VCID-mfub-hwcq-pqbt
15
vulnerability VCID-na6t-mkxt-3qbw
16
vulnerability VCID-nn7p-d7hz-53d5
17
vulnerability VCID-npjx-vkrd-9bae
18
vulnerability VCID-nrf7-heu6-vfdc
19
vulnerability VCID-qh44-75jb-wbhf
20
vulnerability VCID-qvbb-jhkk-2udw
21
vulnerability VCID-qwp5-wae9-cffb
22
vulnerability VCID-re5g-6kjz-q7e8
23
vulnerability VCID-rfc1-r1gr-wffp
24
vulnerability VCID-sqb5-brnu-vfbk
25
vulnerability VCID-u5yy-xx6z-dfh6
26
vulnerability VCID-v7za-zjfx-mqek
27
vulnerability VCID-vn1d-9uf5-gbce
28
vulnerability VCID-vpxs-6wcf-ckh9
29
vulnerability VCID-wehr-d623-akaj
30
vulnerability VCID-xdpy-sx55-b3ac
31
vulnerability VCID-xsr8-3cke-33ck
32
vulnerability VCID-yb4j-92y9-nfb5
33
vulnerability VCID-yuwe-6pp1-bke2
34
vulnerability VCID-zm9c-xw64-5qcc
35
vulnerability VCID-zmh2-t17w-wue1
36
vulnerability VCID-znut-tkpq-b7cu
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.7
1
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.11
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-2t1b-135u-euem
2
vulnerability VCID-6mz4-fu3s-vycx
3
vulnerability VCID-7ma6-2uv1-sbef
4
vulnerability VCID-8gha-n6ke-nucu
5
vulnerability VCID-9442-1vwr-5fbt
6
vulnerability VCID-c5tu-31kw-mfcf
7
vulnerability VCID-dxpe-qmxq-ykax
8
vulnerability VCID-eeye-wfxf-x7cc
9
vulnerability VCID-exrn-u19r-wfd8
10
vulnerability VCID-f779-wcjk-kfc1
11
vulnerability VCID-fcg2-x3s5-wudk
12
vulnerability VCID-hqzr-vc5w-9ff5
13
vulnerability VCID-hsja-ryzy-7bbx
14
vulnerability VCID-mfub-hwcq-pqbt
15
vulnerability VCID-na6t-mkxt-3qbw
16
vulnerability VCID-npjx-vkrd-9bae
17
vulnerability VCID-nrf7-heu6-vfdc
18
vulnerability VCID-qh44-75jb-wbhf
19
vulnerability VCID-qvbb-jhkk-2udw
20
vulnerability VCID-qwp5-wae9-cffb
21
vulnerability VCID-re5g-6kjz-q7e8
22
vulnerability VCID-rfc1-r1gr-wffp
23
vulnerability VCID-sqb5-brnu-vfbk
24
vulnerability VCID-u5yy-xx6z-dfh6
25
vulnerability VCID-v7za-zjfx-mqek
26
vulnerability VCID-vn1d-9uf5-gbce
27
vulnerability VCID-vpxs-6wcf-ckh9
28
vulnerability VCID-wehr-d623-akaj
29
vulnerability VCID-xdpy-sx55-b3ac
30
vulnerability VCID-xsr8-3cke-33ck
31
vulnerability VCID-yb4j-92y9-nfb5
32
vulnerability VCID-yuwe-6pp1-bke2
33
vulnerability VCID-zm9c-xw64-5qcc
34
vulnerability VCID-zmh2-t17w-wue1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.11
aliases CVE-2013-7285, GHSA-f554-x222-wgf7
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y8ub-2kad-kqbs
33
url VCID-yb4j-92y9-nfb5
vulnerability_id VCID-yb4j-92y9-nfb5
summary 
Denial of Service by injecting highly recursive collections or maps in XStream
The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43859.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43859.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-43859
reference_id
reference_type
scores
0
value 0.01863
scoring_system epss
scoring_elements 0.83096
published_at 2026-04-21T12:55:00Z
1
value 0.01863
scoring_system epss
scoring_elements 0.83093
published_at 2026-04-18T12:55:00Z
2
value 0.01863
scoring_system epss
scoring_elements 0.83092
published_at 2026-04-16T12:55:00Z
3
value 0.01863
scoring_system epss
scoring_elements 0.83054
published_at 2026-04-13T12:55:00Z
4
value 0.01863
scoring_system epss
scoring_elements 0.83058
published_at 2026-04-12T12:55:00Z
5
value 0.01863
scoring_system epss
scoring_elements 0.83064
published_at 2026-04-11T12:55:00Z
6
value 0.01863
scoring_system epss
scoring_elements 0.83049
published_at 2026-04-09T12:55:00Z
7
value 0.01863
scoring_system epss
scoring_elements 0.83017
published_at 2026-04-07T12:55:00Z
8
value 0.01863
scoring_system epss
scoring_elements 0.83019
published_at 2026-04-04T12:55:00Z
9
value 0.01863
scoring_system epss
scoring_elements 0.83006
published_at 2026-04-02T12:55:00Z
10
value 0.01863
scoring_system epss
scoring_elements 0.8299
published_at 2026-04-01T12:55:00Z
11
value 0.01863
scoring_system epss
scoring_elements 0.83042
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-43859
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43859
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43859
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
6
reference_url https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
7
reference_url https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X
12
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://www.oracle.com/security-alerts/cpuapr2022.html
13
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://www.oracle.com/security-alerts/cpujul2022.html
14
reference_url http://www.openwall.com/lists/oss-security/2022/02/09/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url http://www.openwall.com/lists/oss-security/2022/02/09/1
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2049783
reference_id 2049783
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2049783
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43859
reference_id CVE-2021-43859
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-43859
17
reference_url https://x-stream.github.io/CVE-2021-43859.html
reference_id CVE-2021-43859.HTML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://x-stream.github.io/CVE-2021-43859.html
18
reference_url https://github.com/advisories/GHSA-rmr5-cpv2-vgjf
reference_id GHSA-rmr5-cpv2-vgjf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rmr5-cpv2-vgjf
19
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
reference_id GHSA-rmr5-cpv2-vgjf
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
20
reference_url https://access.redhat.com/errata/RHSA-2022:1420
reference_id RHSA-2022:1420
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:1420
21
reference_url https://access.redhat.com/errata/RHSA-2022:5532
reference_id RHSA-2022:5532
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5532
22
reference_url https://access.redhat.com/errata/RHSA-2022:5606
reference_id RHSA-2022:5606
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5606
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/
reference_id VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
reference_id XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.19
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.19
aliases CVE-2021-43859, GHSA-rmr5-cpv2-vgjf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yb4j-92y9-nfb5
34
url VCID-yuwe-6pp1-bke2
vulnerability_id VCID-yuwe-6pp1-bke2
summary 
Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again.However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39139.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39139.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-39139
reference_id
reference_type
scores
0
value 0.00838
scoring_system epss
scoring_elements 0.74704
published_at 2026-04-21T12:55:00Z
1
value 0.00838
scoring_system epss
scoring_elements 0.74713
published_at 2026-04-18T12:55:00Z
2
value 0.00838
scoring_system epss
scoring_elements 0.74705
published_at 2026-04-16T12:55:00Z
3
value 0.00838
scoring_system epss
scoring_elements 0.74622
published_at 2026-04-01T12:55:00Z
4
value 0.00838
scoring_system epss
scoring_elements 0.74697
published_at 2026-04-11T12:55:00Z
5
value 0.00838
scoring_system epss
scoring_elements 0.74674
published_at 2026-04-09T12:55:00Z
6
value 0.00838
scoring_system epss
scoring_elements 0.74659
published_at 2026-04-08T12:55:00Z
7
value 0.00838
scoring_system epss
scoring_elements 0.74628
published_at 2026-04-07T12:55:00Z
8
value 0.00838
scoring_system epss
scoring_elements 0.74653
published_at 2026-04-04T12:55:00Z
9
value 0.00838
scoring_system epss
scoring_elements 0.74626
published_at 2026-04-02T12:55:00Z
10
value 0.00838
scoring_system epss
scoring_elements 0.74668
published_at 2026-04-13T12:55:00Z
11
value 0.00838
scoring_system epss
scoring_elements 0.74677
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-39139
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
18
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
19
reference_url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
26
reference_url https://security.netapp.com/advisory/ntap-20210923-0003
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210923-0003
27
reference_url https://security.netapp.com/advisory/ntap-20210923-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210923-0003/
28
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
29
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
30
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
31
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
32
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1997763
reference_id 1997763
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1997763
33
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
reference_id 998054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
34
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-39139
reference_id CVE-2021-39139
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-39139
35
reference_url https://x-stream.github.io/CVE-2021-39139.html
reference_id CVE-2021-39139.HTML
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-39139.html
36
reference_url https://github.com/advisories/GHSA-64xx-cq4q-mf44
reference_id GHSA-64xx-cq4q-mf44
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-64xx-cq4q-mf44
37
reference_url https://access.redhat.com/errata/RHSA-2021:3956
reference_id RHSA-2021:3956
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3956
38
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
39
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
40
reference_url https://access.redhat.com/errata/RHSA-2022:0296
reference_id RHSA-2022:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0296
41
reference_url https://access.redhat.com/errata/RHSA-2022:0297
reference_id RHSA-2022:0297
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0297
42
reference_url https://access.redhat.com/errata/RHSA-2022:0520
reference_id RHSA-2022:0520
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0520
43
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9442-1vwr-5fbt
1
vulnerability VCID-exrn-u19r-wfd8
2
vulnerability VCID-fcg2-x3s5-wudk
3
vulnerability VCID-hqzr-vc5w-9ff5
4
vulnerability VCID-mfub-hwcq-pqbt
5
vulnerability VCID-yb4j-92y9-nfb5
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18
aliases CVE-2021-39139, GHSA-64xx-cq4q-mf44
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yuwe-6pp1-bke2
35
url VCID-zm9c-xw64-5qcc
vulnerability_id VCID-zm9c-xw64-5qcc
summary 
XStream can cause a Denial of Service.
### Impact
The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21341](https://x-stream.github.io/CVE-2021-21341.html).

### Credits
The vulnerability was discovered and reported by threedr3am.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21341.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21341.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21341
reference_id
reference_type
scores
0
value 0.27312
scoring_system epss
scoring_elements 0.96418
published_at 2026-04-21T12:55:00Z
1
value 0.27312
scoring_system epss
scoring_elements 0.96417
published_at 2026-04-18T12:55:00Z
2
value 0.27312
scoring_system epss
scoring_elements 0.96412
published_at 2026-04-16T12:55:00Z
3
value 0.27312
scoring_system epss
scoring_elements 0.96406
published_at 2026-04-13T12:55:00Z
4
value 0.27312
scoring_system epss
scoring_elements 0.96402
published_at 2026-04-12T12:55:00Z
5
value 0.27312
scoring_system epss
scoring_elements 0.96398
published_at 2026-04-09T12:55:00Z
6
value 0.27312
scoring_system epss
scoring_elements 0.96395
published_at 2026-04-08T12:55:00Z
7
value 0.27312
scoring_system epss
scoring_elements 0.96387
published_at 2026-04-07T12:55:00Z
8
value 0.27312
scoring_system epss
scoring_elements 0.96383
published_at 2026-04-04T12:55:00Z
9
value 0.27312
scoring_system epss
scoring_elements 0.96379
published_at 2026-04-02T12:55:00Z
10
value 0.27312
scoring_system epss
scoring_elements 0.96372
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21341
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21341
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21341
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21341.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21341.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942539
reference_id 1942539
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942539
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-2p3x-qw9c-25hh
reference_id GHSA-2p3x-qw9c-25hh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2p3x-qw9c-25hh
28
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
29
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
30
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
31
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
32
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
33
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
34
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
35
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21341, GHSA-2p3x-qw9c-25hh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zm9c-xw64-5qcc
36
url VCID-zmh2-t17w-wue1
vulnerability_id VCID-zmh2-t17w-wue1
summary 
A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
### Impact
The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21342](https://x-stream.github.io/CVE-2021-21342.html).

### Credits
钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21342.json
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21342.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21342
reference_id
reference_type
scores
0
value 0.00869
scoring_system epss
scoring_elements 0.75212
published_at 2026-04-21T12:55:00Z
1
value 0.00869
scoring_system epss
scoring_elements 0.75223
published_at 2026-04-18T12:55:00Z
2
value 0.00869
scoring_system epss
scoring_elements 0.75136
published_at 2026-04-01T12:55:00Z
3
value 0.00869
scoring_system epss
scoring_elements 0.75217
published_at 2026-04-16T12:55:00Z
4
value 0.00869
scoring_system epss
scoring_elements 0.75214
published_at 2026-04-11T12:55:00Z
5
value 0.00869
scoring_system epss
scoring_elements 0.75192
published_at 2026-04-12T12:55:00Z
6
value 0.00869
scoring_system epss
scoring_elements 0.7518
published_at 2026-04-13T12:55:00Z
7
value 0.00869
scoring_system epss
scoring_elements 0.75146
published_at 2026-04-07T12:55:00Z
8
value 0.00869
scoring_system epss
scoring_elements 0.75169
published_at 2026-04-04T12:55:00Z
9
value 0.00869
scoring_system epss
scoring_elements 0.75139
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21342
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m
6
reference_url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
8
reference_url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21342
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21342
16
reference_url https://security.netapp.com/advisory/ntap-20210430-0002
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210430-0002
17
reference_url https://security.netapp.com/advisory/ntap-20210430-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210430-0002/
18
reference_url https://www.debian.org/security/2021/dsa-5004
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-5004
19
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2022.html
20
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
21
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
22
reference_url https://x-stream.github.io/CVE-2021-21342.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/CVE-2021-21342.html
23
reference_url https://x-stream.github.io/security.html#workaround
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://x-stream.github.io/security.html#workaround
24
reference_url http://x-stream.github.io/changes.html#1.4.16
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.16
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1942545
reference_id 1942545
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1942545
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
reference_id 985843
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
27
reference_url https://github.com/advisories/GHSA-hvv8-336g-rx3m
reference_id GHSA-hvv8-336g-rx3m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hvv8-336g-rx3m
28
reference_url https://access.redhat.com/errata/RHSA-2021:2139
reference_id RHSA-2021:2139
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2139
29
reference_url https://access.redhat.com/errata/RHSA-2021:2475
reference_id RHSA-2021:2475
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2475
30
reference_url https://access.redhat.com/errata/RHSA-2021:2476
reference_id RHSA-2021:2476
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2476
31
reference_url https://access.redhat.com/errata/RHSA-2021:4767
reference_id RHSA-2021:4767
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4767
32
reference_url https://access.redhat.com/errata/RHSA-2021:4918
reference_id RHSA-2021:4918
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4918
33
reference_url https://access.redhat.com/errata/RHSA-2021:5134
reference_id RHSA-2021:5134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5134
34
reference_url https://usn.ubuntu.com/4943-1/
reference_id USN-4943-1
reference_type
scores
url https://usn.ubuntu.com/4943-1/
35
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-7ma6-2uv1-sbef
2
vulnerability VCID-8gha-n6ke-nucu
3
vulnerability VCID-9442-1vwr-5fbt
4
vulnerability VCID-c5tu-31kw-mfcf
5
vulnerability VCID-dxpe-qmxq-ykax
6
vulnerability VCID-eeye-wfxf-x7cc
7
vulnerability VCID-exrn-u19r-wfd8
8
vulnerability VCID-f779-wcjk-kfc1
9
vulnerability VCID-fcg2-x3s5-wudk
10
vulnerability VCID-hqzr-vc5w-9ff5
11
vulnerability VCID-mfub-hwcq-pqbt
12
vulnerability VCID-na6t-mkxt-3qbw
13
vulnerability VCID-npjx-vkrd-9bae
14
vulnerability VCID-qvbb-jhkk-2udw
15
vulnerability VCID-rfc1-r1gr-wffp
16
vulnerability VCID-v7za-zjfx-mqek
17
vulnerability VCID-wehr-d623-akaj
18
vulnerability VCID-xsr8-3cke-33ck
19
vulnerability VCID-yb4j-92y9-nfb5
20
vulnerability VCID-yuwe-6pp1-bke2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16
aliases CVE-2021-21342, GHSA-hvv8-336g-rx3m
risk_score 3.4
exploitability 0.5
weighted_severity 6.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zmh2-t17w-wue1
37
url VCID-znut-tkpq-b7cu
vulnerability_id VCID-znut-tkpq-b7cu
summary Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
2
reference_url http://rhn.redhat.com/errata/RHSA-2016-2822.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-2822.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2016-2823.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-2823.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3674.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3674.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-3674
reference_id
reference_type
scores
0
value 0.02859
scoring_system epss
scoring_elements 0.86206
published_at 2026-04-07T12:55:00Z
1
value 0.02859
scoring_system epss
scoring_elements 0.86193
published_at 2026-04-02T12:55:00Z
2
value 0.02859
scoring_system epss
scoring_elements 0.86183
published_at 2026-04-01T12:55:00Z
3
value 0.02859
scoring_system epss
scoring_elements 0.86245
published_at 2026-04-13T12:55:00Z
4
value 0.02859
scoring_system epss
scoring_elements 0.86251
published_at 2026-04-11T12:55:00Z
5
value 0.02859
scoring_system epss
scoring_elements 0.86249
published_at 2026-04-12T12:55:00Z
6
value 0.02859
scoring_system epss
scoring_elements 0.86237
published_at 2026-04-09T12:55:00Z
7
value 0.02859
scoring_system epss
scoring_elements 0.86226
published_at 2026-04-08T12:55:00Z
8
value 0.04224
scoring_system epss
scoring_elements 0.88778
published_at 2026-04-21T12:55:00Z
9
value 0.04224
scoring_system epss
scoring_elements 0.88782
published_at 2026-04-16T12:55:00Z
10
value 0.04224
scoring_system epss
scoring_elements 0.8878
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-3674
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674
7
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
8
reference_url https://github.com/x-stream/xstream/commit/25c6704bea149ee93c294ae5b6e0aecd182fea88
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/25c6704bea149ee93c294ae5b6e0aecd182fea88
9
reference_url https://github.com/x-stream/xstream/commit/5b5cd6d8137f645c5d57b648afb1a305967aa7f
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/5b5cd6d8137f645c5d57b648afb1a305967aa7f
10
reference_url https://github.com/x-stream/xstream/commit/696ec886a23dae880cf12e34e1fe09c5df8fe94
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/696ec886a23dae880cf12e34e1fe09c5df8fe94
11
reference_url https://github.com/x-stream/xstream/commit/7c77ac0397a1f93c69d2776a13c31957f55d1647
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/7c77ac0397a1f93c69d2776a13c31957f55d1647
12
reference_url https://github.com/x-stream/xstream/commit/806949e1b3c22a3b31819a37402489a0303221a
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/806949e1b3c22a3b31819a37402489a0303221a
13
reference_url https://github.com/x-stream/xstream/commit/87172cfc1dd7f8f6e137963c778b03efd14ac446
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/87172cfc1dd7f8f6e137963c778b03efd14ac446
14
reference_url https://github.com/x-stream/xstream/commit/c9b121a88664988ccbabd83fa27bfc2a5e0bd139
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/c9b121a88664988ccbabd83fa27bfc2a5e0bd139
15
reference_url https://github.com/x-stream/xstream/commit/e4f1457e681e015be83c6b0b84947676980e29d
reference_id
reference_type
scores
url https://github.com/x-stream/xstream/commit/e4f1457e681e015be83c6b0b84947676980e29d
16
reference_url https://github.com/x-stream/xstream/issues/25
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream/issues/25
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-3674
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:P/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-3674
18
reference_url https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
19
reference_url http://www.debian.org/security/2016/dsa-3575
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3575
20
reference_url http://www.openwall.com/lists/oss-security/2016/03/25/8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/03/25/8
21
reference_url http://www.openwall.com/lists/oss-security/2016/03/28/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/03/28/1
22
reference_url http://www.securityfocus.com/bid/85381
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/85381
23
reference_url http://www.securitytracker.com/id/1036419
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.securitytracker.com/id/1036419
24
reference_url http://x-stream.github.io/changes.html#1.4.9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://x-stream.github.io/changes.html#1.4.9
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1321789
reference_id 1321789
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1321789
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819455
reference_id 819455
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819455
27
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*
28
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
29
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
30
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
reference_id cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
31
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
reference_id cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
32
reference_url https://github.com/advisories/GHSA-rgh3-987h-wpmw
reference_id GHSA-rgh3-987h-wpmw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rgh3-987h-wpmw
33
reference_url https://access.redhat.com/errata/RHSA-2016:2822
reference_id RHSA-2016:2822
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:2822
34
reference_url https://access.redhat.com/errata/RHSA-2016:2823
reference_id RHSA-2016:2823
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:2823
35
reference_url https://usn.ubuntu.com/6978-1/
reference_id USN-6978-1
reference_type
scores
url https://usn.ubuntu.com/6978-1/
fixed_packages
0
url pkg:maven/com.thoughtworks.xstream/xstream@1.4.9
purl pkg:maven/com.thoughtworks.xstream/xstream@1.4.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12bx-r37t-3ygm
1
vulnerability VCID-2t1b-135u-euem
2
vulnerability VCID-6mz4-fu3s-vycx
3
vulnerability VCID-7ma6-2uv1-sbef
4
vulnerability VCID-8gha-n6ke-nucu
5
vulnerability VCID-9442-1vwr-5fbt
6
vulnerability VCID-c5tu-31kw-mfcf
7
vulnerability VCID-dxpe-qmxq-ykax
8
vulnerability VCID-eeye-wfxf-x7cc
9
vulnerability VCID-exrn-u19r-wfd8
10
vulnerability VCID-f779-wcjk-kfc1
11
vulnerability VCID-fcg2-x3s5-wudk
12
vulnerability VCID-hqzr-vc5w-9ff5
13
vulnerability VCID-hsja-ryzy-7bbx
14
vulnerability VCID-mfub-hwcq-pqbt
15
vulnerability VCID-na6t-mkxt-3qbw
16
vulnerability VCID-nn7p-d7hz-53d5
17
vulnerability VCID-npjx-vkrd-9bae
18
vulnerability VCID-nrf7-heu6-vfdc
19
vulnerability VCID-qh44-75jb-wbhf
20
vulnerability VCID-qvbb-jhkk-2udw
21
vulnerability VCID-qwp5-wae9-cffb
22
vulnerability VCID-re5g-6kjz-q7e8
23
vulnerability VCID-rfc1-r1gr-wffp
24
vulnerability VCID-sqb5-brnu-vfbk
25
vulnerability VCID-u5yy-xx6z-dfh6
26
vulnerability VCID-v7za-zjfx-mqek
27
vulnerability VCID-vn1d-9uf5-gbce
28
vulnerability VCID-vpxs-6wcf-ckh9
29
vulnerability VCID-wehr-d623-akaj
30
vulnerability VCID-xdpy-sx55-b3ac
31
vulnerability VCID-xsr8-3cke-33ck
32
vulnerability VCID-yb4j-92y9-nfb5
33
vulnerability VCID-yuwe-6pp1-bke2
34
vulnerability VCID-zm9c-xw64-5qcc
35
vulnerability VCID-zmh2-t17w-wue1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.9
aliases CVE-2016-3674, GHSA-rgh3-987h-wpmw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-znut-tkpq-b7cu
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.3