{"url":"http://public2.vulnerablecode.io/api/packages/186508?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4","type":"maven","namespace":"com.thoughtworks.xstream","name":"xstream","version":"1.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.21","latest_non_vulnerable_version":"1.4.21","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11066?format=json","vulnerability_id":"VCID-12bx-r37t-3ygm","summary":"Server-Side Request Forgery (SSRF)\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime to Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39150.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39150.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39150","reference_id":"","reference_type":"","scores":[{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.8517","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85173","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85164","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85109","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85122","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85125","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85102","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.8508","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85076","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85059","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85046","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85143","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.8514","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85119","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39150.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39150.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997786","reference_id":"1997786","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997786"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39150","reference_id":"CVE-2021-39150","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39150"},{"reference_url":"https://github.com/advisories/GHSA-cxfm-5m4g-x7xp","reference_id":"GHSA-cxfm-5m4g-x7xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxfm-5m4g-x7xp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39150","GHSA-cxfm-5m4g-x7xp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-12bx-r37t-3ygm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33495?format=json","vulnerability_id":"VCID-2t1b-135u-euem","summary":"XStream can be used for Remote Code Execution\n### Impact\nThe vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.14.\n\n### Workarounds\nNo user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.\n\nUsers of XStream 1.4.13 or below who still want to use XStream default blacklist can use a workaround depending on their version in use.\n\nUsers of XStream 1.4.13 can simply add two lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\n```\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _java.lang.Void_ and _void_.\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\n```\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n```Java\nxstream.registerConverter(new Converter() {\n  public boolean canConvert(Class type) {\n    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type));\n  }\n\n  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n\n  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n}, XStream.PRIORITY_LOW);\n```\n\n### Credits\nChen L found and reported the issue to XStream and provided the required information to reproduce it.  He was supported by Zhihong Tian and Hui Lu, both from Guangzhou University.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2020-26217](https://x-stream.github.io/CVE-2020-26217.html).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26217.json","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26217.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26217","reference_id":"","reference_type":"","scores":[{"value":"0.93008","scoring_system":"epss","scoring_elements":"0.99785","published_at":"2026-04-26T12:55:00Z"},{"value":"0.93008","scoring_system":"epss","scoring_elements":"0.99784","published_at":"2026-04-21T12:55:00Z"},{"value":"0.93008","scoring_system":"epss","scoring_elements":"0.99783","published_at":"2026-04-13T12:55:00Z"},{"value":"0.93008","scoring_system":"epss","scoring_elements":"0.99782","published_at":"2026-04-04T12:55:00Z"},{"value":"0.93008","scoring_system":"epss","scoring_elements":"0.99781","published_at":"2026-04-01T12:55:00Z"},{"value":"0.93171","scoring_system":"epss","scoring_elements":"0.99803","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26217"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26217","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26217"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"},{"reference_url":"https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26217","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26217"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210409-0004","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210409-0004"},{"reference_url":"https://www.debian.org/security/2020/dsa-4811","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4811"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2020-26217.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2020-26217.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1898907","reference_id":"1898907","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1898907"},{"reference_url":"https://github.com/advisories/GHSA-mw36-7c6c-q4q2","reference_id":"GHSA-mw36-7c6c-q4q2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mw36-7c6c-q4q2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0105","reference_id":"RHSA-2021:0105","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0105"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0106","reference_id":"RHSA-2021:0106","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0162","reference_id":"RHSA-2021:0162","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0162"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0384","reference_id":"RHSA-2021:0384","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0384"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0433","reference_id":"RHSA-2021:0433","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0433"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3205","reference_id":"RHSA-2021:3205","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3205"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4714-1/","reference_id":"USN-4714-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4714-1/"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73278?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.14-java7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-6mz4-fu3s-vycx"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-hsja-ryzy-7bbx"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-nrf7-heu6-vfdc"},{"vulnerability":"VCID-qh44-75jb-wbhf"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-qwp5-wae9-cffb"},{"vulnerability":"VCID-re5g-6kjz-q7e8"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-sqb5-brnu-vfbk"},{"vulnerability":"VCID-u5yy-xx6z-dfh6"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-vn1d-9uf5-gbce"},{"vulnerability":"VCID-vpxs-6wcf-ckh9"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xdpy-sx55-b3ac"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"},{"vulnerability":"VCID-zm9c-xw64-5qcc"},{"vulnerability":"VCID-zmh2-t17w-wue1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.14-java7"}],"aliases":["CVE-2020-26217","GHSA-mw36-7c6c-q4q2"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2t1b-135u-euem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42322?format=json","vulnerability_id":"VCID-6mz4-fu3s-vycx","summary":"XStream is vulnerable to an Arbitrary Code Execution attack\n### Impact\nThe vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21350](https://x-stream.github.io/CVE-2021-21350.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21350.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21350.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21350","reference_id":"","reference_type":"","scores":[{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.925","published_at":"2026-04-08T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92524","published_at":"2026-04-29T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92489","published_at":"2026-04-07T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92485","published_at":"2026-04-04T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92477","published_at":"2026-04-02T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92521","published_at":"2026-04-18T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92471","published_at":"2026-04-01T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92527","published_at":"2026-04-26T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92526","published_at":"2026-04-24T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92505","published_at":"2026-04-09T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92511","published_at":"2026-04-13T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92513","published_at":"2026-04-12T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92522","published_at":"2026-04-16T12:55:00Z"},{"value":"0.08761","scoring_system":"epss","scoring_elements":"0.92525","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21350","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21350"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21350.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21350.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942637","reference_id":"1942637","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942637"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-43gc-mjxg-gvrq","reference_id":"GHSA-43gc-mjxg-gvrq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-43gc-mjxg-gvrq"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1354","reference_id":"RHSA-2021:1354","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1354"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21350","GHSA-43gc-mjxg-gvrq"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mz4-fu3s-vycx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11061?format=json","vulnerability_id":"VCID-7ma6-2uv1-sbef","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39147.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39147.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39147","reference_id":"","reference_type":"","scores":[{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.715","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71497","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71489","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7144","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71407","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71425","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71418","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71406","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7139","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71373","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71365","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71438","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71459","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71453","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39147.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39147.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997779","reference_id":"1997779","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997779"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39147","reference_id":"CVE-2021-39147","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39147"},{"reference_url":"https://github.com/advisories/GHSA-h7v4-7xg3-hxcc","reference_id":"GHSA-h7v4-7xg3-hxcc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h7v4-7xg3-hxcc"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39147","GHSA-h7v4-7xg3-hxcc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7ma6-2uv1-sbef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11068?format=json","vulnerability_id":"VCID-8gha-n6ke-nucu","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39148.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39148.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39148","reference_id":"","reference_type":"","scores":[{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.715","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71497","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71489","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7144","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71407","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71425","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71418","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71406","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7139","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71373","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71365","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71438","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71459","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71453","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39148.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39148.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997781","reference_id":"1997781","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997781"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39148","reference_id":"CVE-2021-39148","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39148"},{"reference_url":"https://github.com/advisories/GHSA-qrx8-8545-4wg2","reference_id":"GHSA-qrx8-8545-4wg2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qrx8-8545-4wg2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39148","GHSA-qrx8-8545-4wg2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8gha-n6ke-nucu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52805?format=json","vulnerability_id":"VCID-9442-1vwr-5fbt","summary":"XStream can cause Denial of Service via stack overflow\n### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:\n\n- java.util.HashMap\n- java.util.HashSet\n- java.util.Hashtable\n- java.util.LinkedHashMap\n- java.util.LinkedHashSet\n- Other third party collection implementations that use their element's hash code may also be affected\n\nA simple solution is to catch the StackOverflowError in the client code calling XStream.\n\nIf your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:\n```Java\nXStream xstream = new XStream();\nxstream.setMode(XStream.NO_REFERENCES);\n```\n\nIf your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:\n```Java\nXStream xstream = new XStream();\nxstream.denyTypes(new Class[]{\n java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class\n});\n```\n\nUnfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::\n```Java\nxstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);\nxstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);\n```\nHowever, this implies that your application does not care about the implementation of the map and all elements are comparable.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41966","reference_id":"","reference_type":"","scores":[{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.85026","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.85018","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84993","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84963","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84979","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84929","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84934","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84957","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84996","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84994","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84973","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84911","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02376","scoring_system":"epss","scoring_elements":"0.84978","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02526","scoring_system":"epss","scoring_elements":"0.85485","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41966"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/"}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41966","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41966"},{"reference_url":"https://x-stream.github.io/CVE-2022-41966.html","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/"}],"url":"https://x-stream.github.io/CVE-2022-41966.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754","reference_id":"1027754","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2170431","reference_id":"2170431","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2170431"},{"reference_url":"https://github.com/advisories/GHSA-j563-grx4-pjpv","reference_id":"GHSA-j563-grx4-pjpv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j563-grx4-pjpv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1006","reference_id":"RHSA-2023:1006","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1006"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1177","reference_id":"RHSA-2023:1177","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1177"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1286","reference_id":"RHSA-2023:1286","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1286"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2041","reference_id":"RHSA-2023:2041","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2041"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2100","reference_id":"RHSA-2023:2100","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2100"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3625","reference_id":"RHSA-2023:3625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3625"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3663","reference_id":"RHSA-2023:3663","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3663"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80464?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcg2-x3s5-wudk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20"}],"aliases":["CVE-2022-41966","GHSA-j563-grx4-pjpv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9442-1vwr-5fbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11071?format=json","vulnerability_id":"VCID-c5tu-31kw-mfcf","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. if using the version out of the box with Java runtime to 8 or with JavaFX installed. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39153.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39153.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39153","reference_id":"","reference_type":"","scores":[{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.715","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71497","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71489","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7144","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71407","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71425","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71418","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71406","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7139","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71373","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71365","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71438","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71459","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71453","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39153.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39153.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997795","reference_id":"1997795","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997795"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39153","reference_id":"CVE-2021-39153","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39153"},{"reference_url":"https://github.com/advisories/GHSA-2q8x-2p7f-574v","reference_id":"GHSA-2q8x-2p7f-574v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2q8x-2p7f-574v"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39153","GHSA-2q8x-2p7f-574v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c5tu-31kw-mfcf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11074?format=json","vulnerability_id":"VCID-dxpe-qmxq-ykax","summary":"Unrestricted Upload of File with Dangerous Type\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39145.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39145.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39145","reference_id":"","reference_type":"","scores":[{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70046","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70047","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70039","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69889","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69966","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69982","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69958","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69942","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69894","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69917","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69902","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69988","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70006","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69996","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.69953","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997775","reference_id":"1997775","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997775"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39145","reference_id":"CVE-2021-39145","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39145"},{"reference_url":"https://x-stream.github.io/CVE-2021-39145.html","reference_id":"CVE-2021-39145.HTML","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39145.html"},{"reference_url":"https://github.com/advisories/GHSA-8jrj-525p-826v","reference_id":"GHSA-8jrj-525p-826v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jrj-525p-826v"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39145","GHSA-8jrj-525p-826v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dxpe-qmxq-ykax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11065?format=json","vulnerability_id":"VCID-eeye-wfxf-x7cc","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39146.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39146.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39146","reference_id":"","reference_type":"","scores":[{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97698","published_at":"2026-04-29T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97693","published_at":"2026-04-26T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97692","published_at":"2026-04-24T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.9769","published_at":"2026-04-16T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97683","published_at":"2026-04-13T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97682","published_at":"2026-04-12T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.9768","published_at":"2026-04-11T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97677","published_at":"2026-04-09T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97674","published_at":"2026-04-08T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.9767","published_at":"2026-04-07T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97669","published_at":"2026-04-04T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97668","published_at":"2026-04-02T12:55:00Z"},{"value":"0.47156","scoring_system":"epss","scoring_elements":"0.97662","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997777","reference_id":"1997777","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997777"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39146","reference_id":"CVE-2021-39146","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39146"},{"reference_url":"https://x-stream.github.io/CVE-2021-39146.html","reference_id":"CVE-2021-39146.HTML","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39146.html"},{"reference_url":"https://github.com/advisories/GHSA-p8pq-r894-fm8f","reference_id":"GHSA-p8pq-r894-fm8f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p8pq-r894-fm8f"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39146","GHSA-p8pq-r894-fm8f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eeye-wfxf-x7cc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52432?format=json","vulnerability_id":"VCID-exrn-u19r-wfd8","summary":"Duplicate Advisory: Denial of Service due to parser crash\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references.\n\n## Original Description\nThose using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.","references":[{"reference_url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/issues/304","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/issues/304"},{"reference_url":"https://github.com/x-stream/xstream/issues/314","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/issues/314"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40151","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40151"},{"reference_url":"https://github.com/advisories/GHSA-3mq5-fq9h-gj7j","reference_id":"GHSA-3mq5-fq9h-gj7j","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3mq5-fq9h-gj7j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80464?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcg2-x3s5-wudk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20"}],"aliases":["GHSA-3mq5-fq9h-gj7j","GMS-2022-9109"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-exrn-u19r-wfd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11072?format=json","vulnerability_id":"VCID-f779-wcjk-kfc1","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39154.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39154.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39154","reference_id":"","reference_type":"","scores":[{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.715","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71497","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71489","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7144","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71407","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71425","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71418","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71406","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.7139","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71373","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71365","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71438","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71459","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71453","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39154.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39154.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997801","reference_id":"1997801","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997801"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39154","reference_id":"CVE-2021-39154","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39154"},{"reference_url":"https://github.com/advisories/GHSA-6w62-hx7r-mw68","reference_id":"GHSA-6w62-hx7r-mw68","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6w62-hx7r-mw68"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39154","GHSA-6w62-hx7r-mw68"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f779-wcjk-kfc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17274?format=json","vulnerability_id":"VCID-fcg2-x3s5-wudk","summary":"XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream\n### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.\n\n### Patches\nXStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html).\n\n### Credits\nAlexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47072.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47072.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47072","reference_id":"","reference_type":"","scores":[{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49419","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49463","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49453","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49494","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49496","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49429","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49455","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49409","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49464","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49459","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49476","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.4945","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49448","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47072"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47072","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47072"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/"}],"url":"https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"},{"reference_url":"https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/"}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47072","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47072"},{"reference_url":"https://x-stream.github.io/CVE-2024-47072.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-08T15:17:42Z/"}],"url":"https://x-stream.github.io/CVE-2024-47072.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274","reference_id":"1087274","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2324606","reference_id":"2324606","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2324606"},{"reference_url":"https://github.com/advisories/GHSA-hfq9-hggm-c56q","reference_id":"GHSA-hfq9-hggm-c56q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hfq9-hggm-c56q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10214","reference_id":"RHSA-2024:10214","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10214"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2218","reference_id":"RHSA-2025:2218","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2218"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2219","reference_id":"RHSA-2025:2219","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2219"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2220","reference_id":"RHSA-2025:2220","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2220"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2221","reference_id":"RHSA-2025:2221","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2221"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2222","reference_id":"RHSA-2025:2222","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2222"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2223","reference_id":"RHSA-2025:2223","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2223"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57123?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.21"}],"aliases":["CVE-2024-47072","GHSA-hfq9-hggm-c56q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fcg2-x3s5-wudk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52285?format=json","vulnerability_id":"VCID-hqzr-vc5w-9ff5","summary":"Denial of Service due to parser crash\nThose using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n\nThis vulnerability is only relevant for users making use of the DTD parsing functionality.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40152.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40152.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40152","reference_id":"","reference_type":"","scores":[{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74184","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74176","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.7414","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.7415","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74141","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74102","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74109","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74126","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74105","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.7406","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.7409","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74057","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00803","scoring_system":"epss","scoring_elements":"0.74086","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40152"},{"reference_url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:21Z/"}],"url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/FasterXML/woodstox","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox"},{"reference_url":"https://github.com/FasterXML/woodstox/issues/157","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox/issues/157"},{"reference_url":"https://github.com/FasterXML/woodstox/issues/160","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox/issues/160"},{"reference_url":"https://github.com/FasterXML/woodstox/pull/159","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox/pull/159"},{"reference_url":"https://github.com/x-stream/xstream/issues/304","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:21Z/"}],"url":"https://github.com/x-stream/xstream/issues/304"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40152","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40152"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032089","reference_id":"1032089","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032089"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2134291","reference_id":"2134291","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2134291"},{"reference_url":"https://github.com/advisories/GHSA-3f7h-mf4q-vrm4","reference_id":"GHSA-3f7h-mf4q-vrm4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0469","reference_id":"RHSA-2023:0469","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0469"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0552","reference_id":"RHSA-2023:0552","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0552"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0553","reference_id":"RHSA-2023:0553","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0553"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0554","reference_id":"RHSA-2023:0554","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0554"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0556","reference_id":"RHSA-2023:0556","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0556"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2100","reference_id":"RHSA-2023:2100","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2100"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3299","reference_id":"RHSA-2023:3299","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3299"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3641","reference_id":"RHSA-2023:3641","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3641"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3815","reference_id":"RHSA-2023:3815","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3815"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:4983","reference_id":"RHSA-2023:4983","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:4983"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4437","reference_id":"RHSA-2025:4437","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4437"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80464?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcg2-x3s5-wudk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20"}],"aliases":["CVE-2022-40152","GHSA-3f7h-mf4q-vrm4"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hqzr-vc5w-9ff5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33232?format=json","vulnerability_id":"VCID-hsja-ryzy-7bbx","summary":"Server-Side Forgery Request can be activated unmarshalling with XStream\n### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.15.\n\n### Workarounds\nThe reported vulnerability does not exist running Java 15 or higher.\n\nNo user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.\n\nUsers of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.\n\nUsers of XStream 1.4.14 can simply add two lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\n\nUsers of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _jdk.nashorn.internal.objects.NativeString.class_, _java.lang.Void_ and _void_ and deny several types by name pattern.\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, \"jdk.nashorn.internal.objects.NativeString\", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n```Java\nxstream.registerConverter(new Converter() {\n  public boolean canConvert(Class type) {\n    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n        || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))\n        || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n  }\n\n  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n\n  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n}, XStream.PRIORITY_LOW);\n```\n \n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26258.json","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26258.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26258","reference_id":"","reference_type":"","scores":[{"value":"0.9368","scoring_system":"epss","scoring_elements":"0.99844","published_at":"2026-04-02T12:55:00Z"},{"value":"0.9368","scoring_system":"epss","scoring_elements":"0.9985","published_at":"2026-04-29T12:55:00Z"},{"value":"0.9368","scoring_system":"epss","scoring_elements":"0.99849","published_at":"2026-04-26T12:55:00Z"},{"value":"0.9368","scoring_system":"epss","scoring_elements":"0.99848","published_at":"2026-04-24T12:55:00Z"},{"value":"0.9368","scoring_system":"epss","scoring_elements":"0.99847","published_at":"2026-04-21T12:55:00Z"},{"value":"0.9368","scoring_system":"epss","scoring_elements":"0.99846","published_at":"2026-04-18T12:55:00Z"},{"value":"0.9368","scoring_system":"epss","scoring_elements":"0.99845","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26258"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28"},{"reference_url":"https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26258","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26258"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210409-0005","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210409-0005"},{"reference_url":"https://www.debian.org/security/2021/dsa-4828","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-4828"},{"reference_url":"https://x-stream.github.io/CVE-2020-26258.html","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2020-26258.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1908832","reference_id":"1908832","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1908832"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977625","reference_id":"977625","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977625"},{"reference_url":"https://github.com/advisories/GHSA-4cch-wxpw-8p28","reference_id":"GHSA-4cch-wxpw-8p28","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4cch-wxpw-8p28"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3205","reference_id":"RHSA-2021:3205","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3205"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://usn.ubuntu.com/4714-1/","reference_id":"USN-4714-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4714-1/"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73041?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-6mz4-fu3s-vycx"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-nrf7-heu6-vfdc"},{"vulnerability":"VCID-qh44-75jb-wbhf"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-qwp5-wae9-cffb"},{"vulnerability":"VCID-re5g-6kjz-q7e8"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-sqb5-brnu-vfbk"},{"vulnerability":"VCID-u5yy-xx6z-dfh6"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-vpxs-6wcf-ckh9"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xdpy-sx55-b3ac"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"},{"vulnerability":"VCID-zm9c-xw64-5qcc"},{"vulnerability":"VCID-zmh2-t17w-wue1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.15"}],"aliases":["CVE-2020-26258","GHSA-4cch-wxpw-8p28"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hsja-ryzy-7bbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52776?format=json","vulnerability_id":"VCID-mfub-hwcq-pqbt","summary":"XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow\n### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe only solution is to catch the StackOverflowError in the client code calling XStream.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html).\n\n### Credits\nThe vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40151.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40151.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40151","reference_id":"","reference_type":"","scores":[{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49162","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49204","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49195","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49206","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49237","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49239","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49192","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49188","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49215","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49197","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49166","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.492","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49146","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49194","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40151"},{"reference_url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:18Z/"}],"url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/issues/304","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:39:18Z/"}],"url":"https://github.com/x-stream/xstream/issues/304"},{"reference_url":"https://github.com/x-stream/xstream/issues/314","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/issues/314"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40151","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40151"},{"reference_url":"https://x-stream.github.io/CVE-2022-40151.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2022-40151.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2134292","reference_id":"2134292","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2134292"},{"reference_url":"https://github.com/advisories/GHSA-f8cc-g7j8-xxpm","reference_id":"GHSA-f8cc-g7j8-xxpm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8cc-g7j8-xxpm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0469","reference_id":"RHSA-2023:0469","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0469"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2100","reference_id":"RHSA-2023:2100","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2100"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3299","reference_id":"RHSA-2023:3299","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3299"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80464?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcg2-x3s5-wudk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.20"}],"aliases":["CVE-2022-40151","GHSA-f8cc-g7j8-xxpm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mfub-hwcq-pqbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11100?format=json","vulnerability_id":"VCID-na6t-mkxt-3qbw","summary":"XStream is vulnerable to a Remote Command Execution attack\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39144.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39144.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39144","reference_id":"","reference_type":"","scores":[{"value":"0.94255","scoring_system":"epss","scoring_elements":"0.99934","published_at":"2026-04-24T12:55:00Z"},{"value":"0.94255","scoring_system":"epss","scoring_elements":"0.99935","published_at":"2026-04-29T12:55:00Z"},{"value":"0.94255","scoring_system":"epss","scoring_elements":"0.99933","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997772","reference_id":"1997772","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997772"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39144","reference_id":"CVE-2021-39144","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39144"},{"reference_url":"https://x-stream.github.io/CVE-2021-39144.html","reference_id":"CVE-2021-39144.HTML","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://x-stream.github.io/CVE-2021-39144.html"},{"reference_url":"https://github.com/advisories/GHSA-j9h8-phrw-h4fh","reference_id":"GHSA-j9h8-phrw-h4fh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j9h8-phrw-h4fh"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh","reference_id":"GHSA-j9h8-phrw-h4fh","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1303","reference_id":"RHSA-2023:1303","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1303"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39144","GHSA-j9h8-phrw-h4fh"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-na6t-mkxt-3qbw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4679?format=json","vulnerability_id":"VCID-nn7p-d7hz-53d5","summary":"XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1832","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:1832"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2888","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:2888"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2889","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:2889"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7957.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7957.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7957","reference_id":"","reference_type":"","scores":[{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85645","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85707","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.8571","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85733","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85728","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85752","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85762","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85763","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85662","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85633","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85729","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85714","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.857","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85689","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85669","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7957"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/125800","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/125800"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:C"},{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab"},{"reference_url":"https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d"},{"reference_url":"https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7957","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:P"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7957"},{"reference_url":"https://www-prd-trops.events.ibm.com/node/715749","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www-prd-trops.events.ibm.com/node/715749"},{"reference_url":"http://www.debian.org/security/2017/dsa-3841","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2017/dsa-3841"},{"reference_url":"http://www.securityfocus.com/bid/100687","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/100687"},{"reference_url":"http://www.securitytracker.com/id/1039499","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1039499"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1441538","reference_id":"1441538","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1441538"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521","reference_id":"861521","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"reference_url":"https://access.redhat.com/security/cve/cve-2017-7957","reference_id":"CVE-2017-7957","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/cve-2017-7957"},{"reference_url":"https://security-tracker.debian.org/tracker/CVE-2017-7957","reference_id":"CVE-2017-7957","reference_type":"","scores":[],"url":"https://security-tracker.debian.org/tracker/CVE-2017-7957"},{"reference_url":"http://x-stream.github.io/CVE-2017-7957.html","reference_id":"CVE-2017-7957.HTML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/CVE-2017-7957.html"},{"reference_url":"https://github.com/advisories/GHSA-7hwc-46rm-65jh","reference_id":"GHSA-7hwc-46rm-65jh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7hwc-46rm-65jh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73378?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-2t1b-135u-euem"},{"vulnerability":"VCID-6mz4-fu3s-vycx"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-bdv1-cuyk-sqc1"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-hsja-ryzy-7bbx"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-nrf7-heu6-vfdc"},{"vulnerability":"VCID-qh44-75jb-wbhf"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-qwp5-wae9-cffb"},{"vulnerability":"VCID-re5g-6kjz-q7e8"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-sqb5-brnu-vfbk"},{"vulnerability":"VCID-u5yy-xx6z-dfh6"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-vn1d-9uf5-gbce"},{"vulnerability":"VCID-vpxs-6wcf-ckh9"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xdpy-sx55-b3ac"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-y8ub-2kad-kqbs"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"},{"vulnerability":"VCID-zm9c-xw64-5qcc"},{"vulnerability":"VCID-zmh2-t17w-wue1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.10"}],"aliases":["CVE-2017-7957","GHSA-7hwc-46rm-65jh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nn7p-d7hz-53d5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11073?format=json","vulnerability_id":"VCID-npjx-vkrd-9bae","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39141.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39141.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39141","reference_id":"","reference_type":"","scores":[{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99203","published_at":"2026-04-29T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99201","published_at":"2026-04-21T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99199","published_at":"2026-04-16T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99198","published_at":"2026-04-12T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99197","published_at":"2026-04-13T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99196","published_at":"2026-04-07T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99192","published_at":"2026-04-04T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.9919","published_at":"2026-04-02T12:55:00Z"},{"value":"0.81843","scoring_system":"epss","scoring_elements":"0.99188","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997769","reference_id":"1997769","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997769"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39141","reference_id":"CVE-2021-39141","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39141"},{"reference_url":"https://x-stream.github.io/CVE-2021-39141.html","reference_id":"CVE-2021-39141.HTML","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39141.html"},{"reference_url":"https://github.com/advisories/GHSA-g5w6-mrj7-75h2","reference_id":"GHSA-g5w6-mrj7-75h2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g5w6-mrj7-75h2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39141","GHSA-g5w6-mrj7-75h2"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-npjx-vkrd-9bae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42346?format=json","vulnerability_id":"VCID-nrf7-heu6-vfdc","summary":"XStream is vulnerable to an Arbitrary Code Execution attack\n### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21344](https://x-stream.github.io/CVE-2021-21344.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21344.json","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21344.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21344","reference_id":"","reference_type":"","scores":[{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.9673","published_at":"2026-04-29T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96725","published_at":"2026-04-24T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96682","published_at":"2026-04-01T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96727","published_at":"2026-04-26T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96724","published_at":"2026-04-18T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.9672","published_at":"2026-04-16T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96714","published_at":"2026-04-13T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96711","published_at":"2026-04-12T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96708","published_at":"2026-04-09T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96706","published_at":"2026-04-08T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96699","published_at":"2026-04-07T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96694","published_at":"2026-04-04T12:55:00Z"},{"value":"0.30602","scoring_system":"epss","scoring_elements":"0.96693","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21344"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21344","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21344"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21344.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21344.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942554","reference_id":"1942554","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942554"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-59jw-jqf4-3wq3","reference_id":"GHSA-59jw-jqf4-3wq3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-59jw-jqf4-3wq3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1354","reference_id":"RHSA-2021:1354","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1354"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21344","GHSA-59jw-jqf4-3wq3"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nrf7-heu6-vfdc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42043?format=json","vulnerability_id":"VCID-qh44-75jb-wbhf","summary":"XStream is vulnerable to a Remote Command Execution attack\n### Impact\nThe vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21345](https://x-stream.github.io/CVE-2021-21345.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21345.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21345.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21345","reference_id":"","reference_type":"","scores":[{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.9949","published_at":"2026-04-29T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99489","published_at":"2026-04-24T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99488","published_at":"2026-04-18T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99479","published_at":"2026-04-02T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99486","published_at":"2026-04-13T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99485","published_at":"2026-04-09T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99484","published_at":"2026-04-08T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99483","published_at":"2026-04-07T12:55:00Z"},{"value":"0.88091","scoring_system":"epss","scoring_elements":"0.99481","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21345"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21345","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21345"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21345.html","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21345.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942558","reference_id":"1942558","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942558"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-hwpc-8xqv-jvj4","reference_id":"GHSA-hwpc-8xqv-jvj4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hwpc-8xqv-jvj4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1354","reference_id":"RHSA-2021:1354","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1354"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21345","GHSA-hwpc-8xqv-jvj4"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qh44-75jb-wbhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47417?format=json","vulnerability_id":"VCID-qvbb-jhkk-2udw","summary":"XStream is vulnerable to a Remote Command Execution attack\n### Impact\nThe vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-29505](https://x-stream.github.io/CVE-2021-29505.html).\n\n### Credits\n\nV3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Email us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29505.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29505.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29505","reference_id":"","reference_type":"","scores":[{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99632","published_at":"2026-04-29T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99629","published_at":"2026-04-26T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99628","published_at":"2026-04-24T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99627","published_at":"2026-04-21T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99626","published_at":"2026-04-16T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99625","published_at":"2026-04-18T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99624","published_at":"2026-04-07T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99623","published_at":"2026-04-04T12:55:00Z"},{"value":"0.90769","scoring_system":"epss","scoring_elements":"0.99622","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29505"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f"},{"reference_url":"https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"},{"reference_url":"https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29505","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29505"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210708-0007","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210708-0007"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-29505.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-29505.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1966735","reference_id":"1966735","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1966735"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989491","reference_id":"989491","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989491"},{"reference_url":"https://github.com/advisories/GHSA-7chv-rrw6-w6fc","reference_id":"GHSA-7chv-rrw6-w6fc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7chv-rrw6-w6fc"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2683","reference_id":"RHSA-2021:2683","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2683"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77108?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.17"}],"aliases":["CVE-2021-29505","GHSA-7chv-rrw6-w6fc"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qvbb-jhkk-2udw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42293?format=json","vulnerability_id":"VCID-qwp5-wae9-cffb","summary":"XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)\n### Impact\nThe vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21348](https://x-stream.github.io/CVE-2021-21348.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21348.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21348.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21348","reference_id":"","reference_type":"","scores":[{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48914","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.4896","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.4893","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48894","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48959","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.49006","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48951","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48956","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.4891","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48964","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48961","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48963","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.49002","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48978","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48952","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21348"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvq","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvq"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21348","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21348"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21348.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21348.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942633","reference_id":"1942633","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942633"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-56p8-3fh9-4cvq","reference_id":"GHSA-56p8-3fh9-4cvq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-56p8-3fh9-4cvq"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21348","GHSA-56p8-3fh9-4cvq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qwp5-wae9-cffb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42051?format=json","vulnerability_id":"VCID-re5g-6kjz-q7e8","summary":"XStream is vulnerable to an Arbitrary Code Execution attack\n### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21351](https://x-stream.github.io/CVE-2021-21351.html).\n\n### Credits\nwh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21351.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21351.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21351","reference_id":"","reference_type":"","scores":[{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99707","published_at":"2026-04-29T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99706","published_at":"2026-04-26T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99695","published_at":"2026-04-02T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99704","published_at":"2026-04-21T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99701","published_at":"2026-04-18T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.997","published_at":"2026-04-16T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99699","published_at":"2026-04-13T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99698","published_at":"2026-04-09T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99697","published_at":"2026-04-07T12:55:00Z"},{"value":"0.92","scoring_system":"epss","scoring_elements":"0.99696","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21351"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21351","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21351"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21351.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21351.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942642","reference_id":"1942642","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942642"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-hrcp-8f3q-4w2c","reference_id":"GHSA-hrcp-8f3q-4w2c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hrcp-8f3q-4w2c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21351","GHSA-hrcp-8f3q-4w2c"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"7.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-re5g-6kjz-q7e8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11067?format=json","vulnerability_id":"VCID-rfc1-r1gr-wffp","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39151.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39151.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39151","reference_id":"","reference_type":"","scores":[{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72268","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72273","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72265","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.7214","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72199","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72214","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72192","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.7218","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72143","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72166","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72145","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72222","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72236","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72226","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72185","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39151.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39151.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997791","reference_id":"1997791","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997791"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39151","reference_id":"CVE-2021-39151","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39151"},{"reference_url":"https://github.com/advisories/GHSA-hph2-m3g5-xxv4","reference_id":"GHSA-hph2-m3g5-xxv4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hph2-m3g5-xxv4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39151","GHSA-hph2-m3g5-xxv4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rfc1-r1gr-wffp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42318?format=json","vulnerability_id":"VCID-sqb5-brnu-vfbk","summary":"XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights\n### Impact\nThe processed stream at unmarshalling time contains type information to recreate the formerly written objects.  XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21343](https://x-stream.github.io/CVE-2021-21343.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21343.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21343.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21343","reference_id":"","reference_type":"","scores":[{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70141","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70226","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70125","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70078","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70101","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70086","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.7019","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70227","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70219","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70164","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70073","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.7015","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70137","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70168","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70181","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21343"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21343","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21343"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21343.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21343.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942550","reference_id":"1942550","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942550"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-74cv-f58x-f9wf","reference_id":"GHSA-74cv-f58x-f9wf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-74cv-f58x-f9wf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21343","GHSA-74cv-f58x-f9wf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sqb5-brnu-vfbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41977?format=json","vulnerability_id":"VCID-u5yy-xx6z-dfh6","summary":"A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host\n### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21349](https://x-stream.github.io/CVE-2021-21349.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21349.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21349.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21349","reference_id":"","reference_type":"","scores":[{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91322","published_at":"2026-04-29T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91323","published_at":"2026-04-26T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91239","published_at":"2026-04-01T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91324","published_at":"2026-04-24T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91314","published_at":"2026-04-21T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91312","published_at":"2026-04-18T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91313","published_at":"2026-04-16T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91288","published_at":"2026-04-13T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91289","published_at":"2026-04-12T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91286","published_at":"2026-04-11T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91279","published_at":"2026-04-09T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91272","published_at":"2026-04-08T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.9126","published_at":"2026-04-07T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91253","published_at":"2026-04-04T12:55:00Z"},{"value":"0.06747","scoring_system":"epss","scoring_elements":"0.91243","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21349","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21349"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21349.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21349.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942635","reference_id":"1942635","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942635"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-f6hm-88x3-mfjv","reference_id":"GHSA-f6hm-88x3-mfjv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6hm-88x3-mfjv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1029","reference_id":"RHSA-2022:1029","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1029"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21349","GHSA-f6hm-88x3-mfjv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u5yy-xx6z-dfh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11075?format=json","vulnerability_id":"VCID-v7za-zjfx-mqek","summary":"Server-Side Request Forgery (SSRF)\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39152.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39152.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39152","reference_id":"","reference_type":"","scores":[{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98346","published_at":"2026-04-26T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98345","published_at":"2026-04-29T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98341","published_at":"2026-04-21T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98321","published_at":"2026-04-01T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98333","published_at":"2026-04-09T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98328","published_at":"2026-04-07T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98325","published_at":"2026-04-04T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98323","published_at":"2026-04-02T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98342","published_at":"2026-04-18T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98337","published_at":"2026-04-13T12:55:00Z"},{"value":"0.61765","scoring_system":"epss","scoring_elements":"0.98336","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39152.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39152.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997793","reference_id":"1997793","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997793"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39152","reference_id":"CVE-2021-39152","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39152"},{"reference_url":"https://github.com/advisories/GHSA-xw4p-crpj-vjx2","reference_id":"GHSA-xw4p-crpj-vjx2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xw4p-crpj-vjx2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39152","GHSA-xw4p-crpj-vjx2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v7za-zjfx-mqek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33206?format=json","vulnerability_id":"VCID-vn1d-9uf5-gbce","summary":"XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling\n### Impact\nThe vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.15.\n\n### Workarounds\nThe reported vulnerability does only exist with a JAX-WS runtime on the classpath.\n\nNo user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.\n\nUsers of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.\n\nUsers of XStream 1.4.14 can simply add two lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\n\nUsers of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _jdk.nashorn.internal.objects.NativeString.class_, _java.lang.Void_ and _void_ and deny several types by name pattern.\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, \"jdk.nashorn.internal.objects.NativeString\", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n```Java\nxstream.registerConverter(new Converter() {\n  public boolean canConvert(Class type) {\n    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n        || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))\n        || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n  }\n\n  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n\n  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n}, XStream.PRIORITY_LOW);\n```\n  \n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26259.json","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26259.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26259","reference_id":"","reference_type":"","scores":[{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99526","published_at":"2026-04-29T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99524","published_at":"2026-04-21T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99522","published_at":"2026-04-18T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99516","published_at":"2026-04-01T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99519","published_at":"2026-04-13T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99518","published_at":"2026-04-08T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99517","published_at":"2026-04-07T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99515","published_at":"2026-04-02T12:55:00Z"},{"value":"0.8887","scoring_system":"epss","scoring_elements":"0.99521","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26259"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"},{"reference_url":"https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26259","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26259"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210409-0005","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210409-0005"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210409-0005/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210409-0005/"},{"reference_url":"https://www.debian.org/security/2021/dsa-4828","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-4828"},{"reference_url":"https://x-stream.github.io/CVE-2020-26259.html","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2020-26259.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1908837","reference_id":"1908837","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1908837"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977624","reference_id":"977624","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977624"},{"reference_url":"https://github.com/advisories/GHSA-jfvx-7wrx-43fh","reference_id":"GHSA-jfvx-7wrx-43fh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jfvx-7wrx-43fh"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3205","reference_id":"RHSA-2021:3205","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3205"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4714-1/","reference_id":"USN-4714-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4714-1/"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73041?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-6mz4-fu3s-vycx"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-nrf7-heu6-vfdc"},{"vulnerability":"VCID-qh44-75jb-wbhf"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-qwp5-wae9-cffb"},{"vulnerability":"VCID-re5g-6kjz-q7e8"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-sqb5-brnu-vfbk"},{"vulnerability":"VCID-u5yy-xx6z-dfh6"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-vpxs-6wcf-ckh9"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xdpy-sx55-b3ac"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"},{"vulnerability":"VCID-zm9c-xw64-5qcc"},{"vulnerability":"VCID-zmh2-t17w-wue1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.15"}],"aliases":["CVE-2020-26259","GHSA-jfvx-7wrx-43fh"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vn1d-9uf5-gbce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41968?format=json","vulnerability_id":"VCID-vpxs-6wcf-ckh9","summary":"XStream is vulnerable to an Arbitrary Code Execution attack\n### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21346](https://x-stream.github.io/CVE-2021-21346.html).\n\n### Credits\nwh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21346.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21346.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21346","reference_id":"","reference_type":"","scores":[{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87932","published_at":"2026-04-29T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87934","published_at":"2026-04-26T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.8784","published_at":"2026-04-01T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.8785","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87863","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87927","published_at":"2026-04-24T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.8791","published_at":"2026-04-21T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87866","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87888","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87894","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87911","published_at":"2026-04-18T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87906","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87899","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87912","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03665","scoring_system":"epss","scoring_elements":"0.87898","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21346"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21346","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21346"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21346.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21346.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942578","reference_id":"1942578","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942578"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-4hrm-m67v-5cxr","reference_id":"GHSA-4hrm-m67v-5cxr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hrm-m67v-5cxr"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1354","reference_id":"RHSA-2021:1354","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1354"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21346","GHSA-4hrm-m67v-5cxr"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vpxs-6wcf-ckh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11070?format=json","vulnerability_id":"VCID-wehr-d623-akaj","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to allocate % CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39140.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39140.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39140","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33459","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33544","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.3371","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33564","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33938","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.3397","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33948","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33972","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.34015","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33984","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33942","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.34083","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.34053","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39140.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39140.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997765","reference_id":"1997765","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997765"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39140","reference_id":"CVE-2021-39140","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39140"},{"reference_url":"https://github.com/advisories/GHSA-6wf9-jmg9-vxcc","reference_id":"GHSA-6wf9-jmg9-vxcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wf9-jmg9-vxcc"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39140","GHSA-6wf9-jmg9-vxcc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wehr-d623-akaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42030?format=json","vulnerability_id":"VCID-xdpy-sx55-b3ac","summary":"XStream is vulnerable to an Arbitrary Code Execution attack\n### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21347](https://x-stream.github.io/CVE-2021-21347.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21347.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21347.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21347","reference_id":"","reference_type":"","scores":[{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87236","published_at":"2026-04-29T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87233","published_at":"2026-04-26T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.8714","published_at":"2026-04-01T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87227","published_at":"2026-04-24T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87208","published_at":"2026-04-21T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87215","published_at":"2026-04-18T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.8721","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87194","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87199","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87205","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87191","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87185","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87165","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87168","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03287","scoring_system":"epss","scoring_elements":"0.87151","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21347"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21347","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21347"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21347.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21347.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942629","reference_id":"1942629","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942629"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-qpfq-ph7r-qv6f","reference_id":"GHSA-qpfq-ph7r-qv6f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpfq-ph7r-qv6f"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1354","reference_id":"RHSA-2021:1354","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1354"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21347","GHSA-qpfq-ph7r-qv6f"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xdpy-sx55-b3ac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11069?format=json","vulnerability_id":"VCID-xsr8-3cke-33ck","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39149.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39149.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39149","reference_id":"","reference_type":"","scores":[{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72268","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72273","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72265","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.7214","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72199","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72214","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72192","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.7218","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72143","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72166","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72145","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72222","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72236","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72226","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72185","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-39149.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39149.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997784","reference_id":"1997784","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997784"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39149","reference_id":"CVE-2021-39149","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39149"},{"reference_url":"https://github.com/advisories/GHSA-3ccq-5vw3-2p6x","reference_id":"GHSA-3ccq-5vw3-2p6x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3ccq-5vw3-2p6x"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39149","GHSA-3ccq-5vw3-2p6x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xsr8-3cke-33ck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4954?format=json","vulnerability_id":"VCID-y8ub-2kad-kqbs","summary":"Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.","references":[{"reference_url":"http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-7285.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-7285.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-7285","reference_id":"","reference_type":"","scores":[{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.9453","published_at":"2026-04-26T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94531","published_at":"2026-04-29T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94527","published_at":"2026-04-18T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94522","published_at":"2026-04-16T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94508","published_at":"2026-04-13T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94509","published_at":"2026-04-12T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94507","published_at":"2026-04-11T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94503","published_at":"2026-04-09T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.945","published_at":"2026-04-08T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.9449","published_at":"2026-04-07T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94488","published_at":"2026-04-04T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.9448","published_at":"2026-04-02T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94473","published_at":"2026-04-01T12:55:00Z"},{"value":"0.14817","scoring_system":"epss","scoring_elements":"0.94532","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-7285"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285"},{"reference_url":"http://seclists.org/oss-sec/2014/q1/69","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/oss-sec/2014/q1/69"},{"reference_url":"https://fisheye.codehaus.org/changelog/xstream?cs=2210","reference_id":"","reference_type":"","scores":[],"url":"https://fisheye.codehaus.org/changelog/xstream?cs=2210"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d"},{"reference_url":"https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-7285","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-7285"},{"reference_url":"https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html"},{"reference_url":"https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://x-stream.github.io/CVE-2013-7285.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2013-7285.html"},{"reference_url":"http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1051277","reference_id":"1051277","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1051277"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821","reference_id":"734821","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821"},{"reference_url":"https://bugzilla.redhat.com/CVE-2013-7285","reference_id":"CVE-2013-7285","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/CVE-2013-7285"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/39193.txt","reference_id":"CVE-2013-7285;OSVDB-102253","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/39193.txt"},{"reference_url":"https://github.com/advisories/GHSA-f554-x222-wgf7","reference_id":"GHSA-f554-x222-wgf7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f554-x222-wgf7"},{"reference_url":"https://security.gentoo.org/glsa/201612-35","reference_id":"GLSA-201612-35","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201612-35"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0216","reference_id":"RHSA-2014:0216","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0216"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0294","reference_id":"RHSA-2014:0294","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0294"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0323","reference_id":"RHSA-2014:0323","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0323"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0374","reference_id":"RHSA-2014:0374","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0374"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0389","reference_id":"RHSA-2014:0389","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0389"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0452","reference_id":"RHSA-2014:0452","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0452"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1007","reference_id":"RHSA-2014:1007","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:1007"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1059","reference_id":"RHSA-2014:1059","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:1059"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1009","reference_id":"RHSA-2015:1009","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1009"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1888","reference_id":"RHSA-2015:1888","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1888"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36466?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-2t1b-135u-euem"},{"vulnerability":"VCID-6mz4-fu3s-vycx"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-hsja-ryzy-7bbx"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-nn7p-d7hz-53d5"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-nrf7-heu6-vfdc"},{"vulnerability":"VCID-qh44-75jb-wbhf"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-qwp5-wae9-cffb"},{"vulnerability":"VCID-re5g-6kjz-q7e8"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-sqb5-brnu-vfbk"},{"vulnerability":"VCID-u5yy-xx6z-dfh6"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-vn1d-9uf5-gbce"},{"vulnerability":"VCID-vpxs-6wcf-ckh9"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xdpy-sx55-b3ac"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"},{"vulnerability":"VCID-zm9c-xw64-5qcc"},{"vulnerability":"VCID-zmh2-t17w-wue1"},{"vulnerability":"VCID-znut-tkpq-b7cu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.7"},{"url":"http://public2.vulnerablecode.io/api/packages/79176?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-2t1b-135u-euem"},{"vulnerability":"VCID-6mz4-fu3s-vycx"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-hsja-ryzy-7bbx"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-nrf7-heu6-vfdc"},{"vulnerability":"VCID-qh44-75jb-wbhf"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-qwp5-wae9-cffb"},{"vulnerability":"VCID-re5g-6kjz-q7e8"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-sqb5-brnu-vfbk"},{"vulnerability":"VCID-u5yy-xx6z-dfh6"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-vn1d-9uf5-gbce"},{"vulnerability":"VCID-vpxs-6wcf-ckh9"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xdpy-sx55-b3ac"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"},{"vulnerability":"VCID-zm9c-xw64-5qcc"},{"vulnerability":"VCID-zmh2-t17w-wue1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.11"}],"aliases":["CVE-2013-7285","GHSA-f554-x222-wgf7"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y8ub-2kad-kqbs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12464?format=json","vulnerability_id":"VCID-yb4j-92y9-nfb5","summary":"Denial of Service by injecting highly recursive collections or maps in XStream\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43859.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43859.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43859","reference_id":"","reference_type":"","scores":[{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83134","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83126","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83119","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83096","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83093","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83092","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83006","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83064","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83049","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83042","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83017","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83019","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.8299","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83054","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83058","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43859"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43859","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43859"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/02/09/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/02/09/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2049783","reference_id":"2049783","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2049783"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43859","reference_id":"CVE-2021-43859","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43859"},{"reference_url":"https://x-stream.github.io/CVE-2021-43859.html","reference_id":"CVE-2021-43859.HTML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://x-stream.github.io/CVE-2021-43859.html"},{"reference_url":"https://github.com/advisories/GHSA-rmr5-cpv2-vgjf","reference_id":"GHSA-rmr5-cpv2-vgjf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rmr5-cpv2-vgjf"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf","reference_id":"GHSA-rmr5-cpv2-vgjf","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1420","reference_id":"RHSA-2022:1420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1420"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5606","reference_id":"RHSA-2022:5606","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5606"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/","reference_id":"VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/","reference_id":"XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:42:17Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44687?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.19"}],"aliases":["CVE-2021-43859","GHSA-rmr5-cpv2-vgjf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yb4j-92y9-nfb5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11063?format=json","vulnerability_id":"VCID-yuwe-6pp1-bke2","summary":"Deserialization of Untrusted Data\nXStream is a simple library to serialize objects to XML and back again.However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39139.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39139.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39139","reference_id":"","reference_type":"","scores":[{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74749","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74747","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.7474","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74622","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74697","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74674","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74659","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74628","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74653","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74626","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74704","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74713","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74705","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74668","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00838","scoring_system":"epss","scoring_elements":"0.74677","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210923-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210923-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210923-0003/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997763","reference_id":"1997763","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1997763"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054","reference_id":"998054","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39139","reference_id":"CVE-2021-39139","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39139"},{"reference_url":"https://x-stream.github.io/CVE-2021-39139.html","reference_id":"CVE-2021-39139.HTML","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-39139.html"},{"reference_url":"https://github.com/advisories/GHSA-64xx-cq4q-mf44","reference_id":"GHSA-64xx-cq4q-mf44","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-64xx-cq4q-mf44"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3956","reference_id":"RHSA-2021:3956","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3956"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0296","reference_id":"RHSA-2022:0296","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0296"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0297","reference_id":"RHSA-2022:0297","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0297"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0520","reference_id":"RHSA-2022:0520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0520"},{"reference_url":"https://usn.ubuntu.com/5946-1/","reference_id":"USN-5946-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5946-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38201?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-yb4j-92y9-nfb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.18"}],"aliases":["CVE-2021-39139","GHSA-64xx-cq4q-mf44"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yuwe-6pp1-bke2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42277?format=json","vulnerability_id":"VCID-zm9c-xw64-5qcc","summary":"XStream can cause a Denial of Service.\n### Impact\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21341](https://x-stream.github.io/CVE-2021-21341.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21341.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21341.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21341","reference_id":"","reference_type":"","scores":[{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.9642","published_at":"2026-04-29T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96419","published_at":"2026-04-24T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96418","published_at":"2026-04-21T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96417","published_at":"2026-04-18T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96412","published_at":"2026-04-16T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96406","published_at":"2026-04-13T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96402","published_at":"2026-04-12T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96398","published_at":"2026-04-09T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96395","published_at":"2026-04-08T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96387","published_at":"2026-04-07T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96372","published_at":"2026-04-01T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96383","published_at":"2026-04-04T12:55:00Z"},{"value":"0.27312","scoring_system":"epss","scoring_elements":"0.96379","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21341"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21341","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21341"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21341.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21341.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942539","reference_id":"1942539","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942539"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-2p3x-qw9c-25hh","reference_id":"GHSA-2p3x-qw9c-25hh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p3x-qw9c-25hh"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21341","GHSA-2p3x-qw9c-25hh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zm9c-xw64-5qcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42312?format=json","vulnerability_id":"VCID-zmh2-t17w-wue1","summary":"A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host\n### Impact\nThe processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21342](https://x-stream.github.io/CVE-2021-21342.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21342.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21342.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21342","reference_id":"","reference_type":"","scores":[{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75258","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75254","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75136","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.7525","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75212","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75223","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75217","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75214","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75192","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.7518","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75146","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75169","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75139","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21342"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m"},{"reference_url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21342","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21342"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210430-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210430-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210430-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-5004","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-5004"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://x-stream.github.io/CVE-2021-21342.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/CVE-2021-21342.html"},{"reference_url":"https://x-stream.github.io/security.html#workaround","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://x-stream.github.io/security.html#workaround"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.16","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.16"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942545","reference_id":"1942545","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942545"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843","reference_id":"985843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843"},{"reference_url":"https://github.com/advisories/GHSA-hvv8-336g-rx3m","reference_id":"GHSA-hvv8-336g-rx3m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hvv8-336g-rx3m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2139","reference_id":"RHSA-2021:2139","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2139"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2475","reference_id":"RHSA-2021:2475","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2475"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2476","reference_id":"RHSA-2021:2476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4767","reference_id":"RHSA-2021:4767","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4767"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4918","reference_id":"RHSA-2021:4918","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4918"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://usn.ubuntu.com/4943-1/","reference_id":"USN-4943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4943-1/"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75871?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.16"}],"aliases":["CVE-2021-21342","GHSA-hvv8-336g-rx3m"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zmh2-t17w-wue1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4574?format=json","vulnerability_id":"VCID-znut-tkpq-b7cu","summary":"Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.","references":[{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-2822.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2016-2822.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-2823.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2016-2823.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3674.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3674.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-3674","reference_id":"","reference_type":"","scores":[{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86245","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86249","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86251","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86237","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86226","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86206","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86193","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02859","scoring_system":"epss","scoring_elements":"0.86183","published_at":"2026-04-01T12:55:00Z"},{"value":"0.04224","scoring_system":"epss","scoring_elements":"0.88782","published_at":"2026-04-16T12:55:00Z"},{"value":"0.04224","scoring_system":"epss","scoring_elements":"0.8878","published_at":"2026-04-18T12:55:00Z"},{"value":"0.04224","scoring_system":"epss","scoring_elements":"0.88778","published_at":"2026-04-21T12:55:00Z"},{"value":"0.04224","scoring_system":"epss","scoring_elements":"0.88794","published_at":"2026-04-24T12:55:00Z"},{"value":"0.04224","scoring_system":"epss","scoring_elements":"0.888","published_at":"2026-04-26T12:55:00Z"},{"value":"0.04224","scoring_system":"epss","scoring_elements":"0.88799","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-3674"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674"},{"reference_url":"https://github.com/x-stream/xstream","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream"},{"reference_url":"https://github.com/x-stream/xstream/commit/25c6704bea149ee93c294ae5b6e0aecd182fea88","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/25c6704bea149ee93c294ae5b6e0aecd182fea88"},{"reference_url":"https://github.com/x-stream/xstream/commit/5b5cd6d8137f645c5d57b648afb1a305967aa7f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/5b5cd6d8137f645c5d57b648afb1a305967aa7f"},{"reference_url":"https://github.com/x-stream/xstream/commit/696ec886a23dae880cf12e34e1fe09c5df8fe94","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/696ec886a23dae880cf12e34e1fe09c5df8fe94"},{"reference_url":"https://github.com/x-stream/xstream/commit/7c77ac0397a1f93c69d2776a13c31957f55d1647","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/7c77ac0397a1f93c69d2776a13c31957f55d1647"},{"reference_url":"https://github.com/x-stream/xstream/commit/806949e1b3c22a3b31819a37402489a0303221a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/806949e1b3c22a3b31819a37402489a0303221a"},{"reference_url":"https://github.com/x-stream/xstream/commit/87172cfc1dd7f8f6e137963c778b03efd14ac446","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/87172cfc1dd7f8f6e137963c778b03efd14ac446"},{"reference_url":"https://github.com/x-stream/xstream/commit/c9b121a88664988ccbabd83fa27bfc2a5e0bd139","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/c9b121a88664988ccbabd83fa27bfc2a5e0bd139"},{"reference_url":"https://github.com/x-stream/xstream/commit/e4f1457e681e015be83c6b0b84947676980e29d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/x-stream/xstream/commit/e4f1457e681e015be83c6b0b84947676980e29d"},{"reference_url":"https://github.com/x-stream/xstream/issues/25","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/issues/25"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3674","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3674"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385"},{"reference_url":"http://www.debian.org/security/2016/dsa-3575","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2016/dsa-3575"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/03/25/8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2016/03/25/8"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/03/28/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2016/03/28/1"},{"reference_url":"http://www.securityfocus.com/bid/85381","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/85381"},{"reference_url":"http://www.securitytracker.com/id/1036419","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1036419"},{"reference_url":"http://x-stream.github.io/changes.html#1.4.9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://x-stream.github.io/changes.html#1.4.9"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1321789","reference_id":"1321789","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1321789"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819455","reference_id":"819455","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819455"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-rgh3-987h-wpmw","reference_id":"GHSA-rgh3-987h-wpmw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rgh3-987h-wpmw"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:2822","reference_id":"RHSA-2016:2822","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:2822"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:2823","reference_id":"RHSA-2016:2823","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:2823"},{"reference_url":"https://usn.ubuntu.com/6978-1/","reference_id":"USN-6978-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6978-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73407?format=json","purl":"pkg:maven/com.thoughtworks.xstream/xstream@1.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12bx-r37t-3ygm"},{"vulnerability":"VCID-2t1b-135u-euem"},{"vulnerability":"VCID-6mz4-fu3s-vycx"},{"vulnerability":"VCID-7ma6-2uv1-sbef"},{"vulnerability":"VCID-8gha-n6ke-nucu"},{"vulnerability":"VCID-9442-1vwr-5fbt"},{"vulnerability":"VCID-c5tu-31kw-mfcf"},{"vulnerability":"VCID-dxpe-qmxq-ykax"},{"vulnerability":"VCID-eeye-wfxf-x7cc"},{"vulnerability":"VCID-exrn-u19r-wfd8"},{"vulnerability":"VCID-f779-wcjk-kfc1"},{"vulnerability":"VCID-fcg2-x3s5-wudk"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-hsja-ryzy-7bbx"},{"vulnerability":"VCID-mfub-hwcq-pqbt"},{"vulnerability":"VCID-na6t-mkxt-3qbw"},{"vulnerability":"VCID-nn7p-d7hz-53d5"},{"vulnerability":"VCID-npjx-vkrd-9bae"},{"vulnerability":"VCID-nrf7-heu6-vfdc"},{"vulnerability":"VCID-qh44-75jb-wbhf"},{"vulnerability":"VCID-qvbb-jhkk-2udw"},{"vulnerability":"VCID-qwp5-wae9-cffb"},{"vulnerability":"VCID-re5g-6kjz-q7e8"},{"vulnerability":"VCID-rfc1-r1gr-wffp"},{"vulnerability":"VCID-sqb5-brnu-vfbk"},{"vulnerability":"VCID-u5yy-xx6z-dfh6"},{"vulnerability":"VCID-v7za-zjfx-mqek"},{"vulnerability":"VCID-vn1d-9uf5-gbce"},{"vulnerability":"VCID-vpxs-6wcf-ckh9"},{"vulnerability":"VCID-wehr-d623-akaj"},{"vulnerability":"VCID-xdpy-sx55-b3ac"},{"vulnerability":"VCID-xsr8-3cke-33ck"},{"vulnerability":"VCID-yb4j-92y9-nfb5"},{"vulnerability":"VCID-yuwe-6pp1-bke2"},{"vulnerability":"VCID-zm9c-xw64-5qcc"},{"vulnerability":"VCID-zmh2-t17w-wue1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4.9"}],"aliases":["CVE-2016-3674","GHSA-rgh3-987h-wpmw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-znut-tkpq-b7cu"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.thoughtworks.xstream/xstream@1.4"}