VulnerableCode Package Details - pkg:rpm/redhat/xstream@1.3.1-13?arch=el7

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-6mz4-fu3s-vycx Aliases: CVE-2021-21350 GHSA-43gc-mjxg-gvrq	XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21350](https://x-stream.github.io/CVE-2021-21350.html). ### Credits The vulnerability was discovered and reported by threedr3am. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)	There are no reported fixed by versions.
VCID-nrf7-heu6-vfdc Aliases: CVE-2021-21344 GHSA-59jw-jqf4-3wq3	XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21344](https://x-stream.github.io/CVE-2021-21344.html). ### Credits 钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)	There are no reported fixed by versions.
VCID-qh44-75jb-wbhf Aliases: CVE-2021-21345 GHSA-hwpc-8xqv-jvj4	XStream is vulnerable to a Remote Command Execution attack ### Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21345](https://x-stream.github.io/CVE-2021-21345.html). ### Credits 钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)	There are no reported fixed by versions.
VCID-vpxs-6wcf-ckh9 Aliases: CVE-2021-21346 GHSA-4hrm-m67v-5cxr	XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21346](https://x-stream.github.io/CVE-2021-21346.html). ### Credits wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)	There are no reported fixed by versions.
VCID-xdpy-sx55-b3ac Aliases: CVE-2021-21347 GHSA-qpfq-ph7r-qv6f	XStream is vulnerable to an Arbitrary Code Execution attack ### Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21347](https://x-stream.github.io/CVE-2021-21347.html). ### Credits The vulnerability was discovered and reported by threedr3am. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)	There are no reported fixed by versions.

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	10.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:02:49.465994+00:00	RedHat Importer	Affected by	VCID-6mz4-fu3s-vycx	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21350.json	38.0.0
2026-04-01T14:02:49.362948+00:00	RedHat Importer	Affected by	VCID-xdpy-sx55-b3ac	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21347.json	38.0.0
2026-04-01T14:02:49.322541+00:00	RedHat Importer	Affected by	VCID-vpxs-6wcf-ckh9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21346.json	38.0.0
2026-04-01T14:02:49.286446+00:00	RedHat Importer	Affected by	VCID-qh44-75jb-wbhf	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21345.json	38.0.0
2026-04-01T14:02:49.250225+00:00	RedHat Importer	Affected by	VCID-nrf7-heu6-vfdc	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21344.json	38.0.0