Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/libxstream-java@1.4.15-2?distro=trixie
purl pkg:deb/debian/libxstream-java@1.4.15-2?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (11)
Vulnerability Summary Aliases
VCID-6mz4-fu3s-vycx XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21350](https://x-stream.github.io/CVE-2021-21350.html). ### Credits The vulnerability was discovered and reported by threedr3am. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21350
GHSA-43gc-mjxg-gvrq
VCID-nrf7-heu6-vfdc XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21344](https://x-stream.github.io/CVE-2021-21344.html). ### Credits 钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21344
GHSA-59jw-jqf4-3wq3
VCID-qh44-75jb-wbhf XStream is vulnerable to a Remote Command Execution attack ### Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21345](https://x-stream.github.io/CVE-2021-21345.html). ### Credits 钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21345
GHSA-hwpc-8xqv-jvj4
VCID-qwp5-wae9-cffb XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos) ### Impact The vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21348](https://x-stream.github.io/CVE-2021-21348.html). ### Credits The vulnerability was discovered and reported by threedr3am. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21348
GHSA-56p8-3fh9-4cvq
VCID-re5g-6kjz-q7e8 XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21351](https://x-stream.github.io/CVE-2021-21351.html). ### Credits wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21351
GHSA-hrcp-8f3q-4w2c
VCID-sqb5-brnu-vfbk XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights ### Impact The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21343](https://x-stream.github.io/CVE-2021-21343.html). ### Credits 钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21343
GHSA-74cv-f58x-f9wf
VCID-u5yy-xx6z-dfh6 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host ### Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21349](https://x-stream.github.io/CVE-2021-21349.html). ### Credits The vulnerability was discovered and reported by threedr3am. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21349
GHSA-f6hm-88x3-mfjv
VCID-vpxs-6wcf-ckh9 XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21346](https://x-stream.github.io/CVE-2021-21346.html). ### Credits wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21346
GHSA-4hrm-m67v-5cxr
VCID-xdpy-sx55-b3ac XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21347](https://x-stream.github.io/CVE-2021-21347.html). ### Credits The vulnerability was discovered and reported by threedr3am. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21347
GHSA-qpfq-ph7r-qv6f
VCID-zm9c-xw64-5qcc XStream can cause a Denial of Service. ### Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21341](https://x-stream.github.io/CVE-2021-21341.html). ### Credits The vulnerability was discovered and reported by threedr3am. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21341
GHSA-2p3x-qw9c-25hh
VCID-zmh2-t17w-wue1 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host ### Impact The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16 ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21342](https://x-stream.github.io/CVE-2021-21342.html). ### Credits 钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user) CVE-2021-21342
GHSA-hvv8-336g-rx3m

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T13:31:07.759824+00:00 Debian Importer Fixing VCID-zm9c-xw64-5qcc https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T13:04:59.500585+00:00 Debian Importer Fixing VCID-sqb5-brnu-vfbk https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T12:18:40.613510+00:00 Debian Importer Fixing VCID-qh44-75jb-wbhf https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T12:12:52.303880+00:00 Debian Importer Fixing VCID-zmh2-t17w-wue1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:49:39.187990+00:00 Debian Importer Fixing VCID-u5yy-xx6z-dfh6 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:33:49.504469+00:00 Debian Importer Fixing VCID-vpxs-6wcf-ckh9 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:29:57.735359+00:00 Debian Importer Fixing VCID-re5g-6kjz-q7e8 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:43:56.394380+00:00 Debian Importer Fixing VCID-nrf7-heu6-vfdc https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:27:48.471622+00:00 Debian Importer Fixing VCID-xdpy-sx55-b3ac https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:19:39.693468+00:00 Debian Importer Fixing VCID-6mz4-fu3s-vycx https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T08:43:43.152236+00:00 Debian Importer Fixing VCID-qwp5-wae9-cffb https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T09:19:49.592495+00:00 Debian Importer Fixing VCID-zm9c-xw64-5qcc https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:59:43.347812+00:00 Debian Importer Fixing VCID-sqb5-brnu-vfbk https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:25:14.592895+00:00 Debian Importer Fixing VCID-qh44-75jb-wbhf https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:21:18.354677+00:00 Debian Importer Fixing VCID-zmh2-t17w-wue1 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:04:16.106378+00:00 Debian Importer Fixing VCID-u5yy-xx6z-dfh6 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:52:59.163789+00:00 Debian Importer Fixing VCID-vpxs-6wcf-ckh9 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:50:14.081312+00:00 Debian Importer Fixing VCID-re5g-6kjz-q7e8 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:15:26.371160+00:00 Debian Importer Fixing VCID-nrf7-heu6-vfdc https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:03:35.854995+00:00 Debian Importer Fixing VCID-xdpy-sx55-b3ac https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T06:57:09.804219+00:00 Debian Importer Fixing VCID-6mz4-fu3s-vycx https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-11T17:51:52.586267+00:00 Debian Importer Fixing VCID-qwp5-wae9-cffb https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:30:12.493863+00:00 Debian Importer Fixing VCID-re5g-6kjz-q7e8 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.454143+00:00 Debian Importer Fixing VCID-6mz4-fu3s-vycx https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.413896+00:00 Debian Importer Fixing VCID-u5yy-xx6z-dfh6 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.374563+00:00 Debian Importer Fixing VCID-qwp5-wae9-cffb https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.334031+00:00 Debian Importer Fixing VCID-xdpy-sx55-b3ac https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.294085+00:00 Debian Importer Fixing VCID-vpxs-6wcf-ckh9 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.254200+00:00 Debian Importer Fixing VCID-qh44-75jb-wbhf https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.214648+00:00 Debian Importer Fixing VCID-nrf7-heu6-vfdc https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.175039+00:00 Debian Importer Fixing VCID-sqb5-brnu-vfbk https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.135838+00:00 Debian Importer Fixing VCID-zmh2-t17w-wue1 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:30:12.096527+00:00 Debian Importer Fixing VCID-zm9c-xw64-5qcc https://security-tracker.debian.org/tracker/data/json 38.1.0