Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-9huk-4zf2-eyaq
Vulnerability ID VCID-9huk-4zf2-eyaq
Aliases CVE-2021-39144
GHSA-j9h8-phrw-h4fh
Summary
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-502 Deserialization of Untrusted Data
CWE-306 Missing Authentication for Critical Function
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 8.5 http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
cvssv3.1 8.5 http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
generic_textual HIGH http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
ssvc Attend http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
cvssv3 8.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39144.json
epss 0.94255 https://api.first.org/data/v1/epss?cve=CVE-2021-39144
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 8.5 https://github.com/x-stream/xstream
generic_textual HIGH https://github.com/x-stream/xstream
cvssv3.1 8.5 https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
cvssv3.1 8.5 https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
generic_textual HIGH https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
ssvc Attend https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
cvssv3.1 8.5 https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
cvssv3.1 8.5 https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
ssvc Attend https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
ssvc Attend https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
ssvc Attend https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
ssvc Attend https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
cvssv3.1 8.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
cvssv3.1 8.5 https://nvd.nist.gov/vuln/detail/CVE-2021-39144
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-39144
cvssv3.1 8.5 https://security.netapp.com/advisory/ntap-20210923-0003
generic_textual HIGH https://security.netapp.com/advisory/ntap-20210923-0003
cvssv3.1 8.5 https://security.netapp.com/advisory/ntap-20210923-0003/
ssvc Attend https://security.netapp.com/advisory/ntap-20210923-0003/
cvssv3.1 8.5 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
generic_textual HIGH https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
cvssv3.1 8.5 https://www.debian.org/security/2021/dsa-5004
cvssv3.1 8.5 https://www.debian.org/security/2021/dsa-5004
generic_textual HIGH https://www.debian.org/security/2021/dsa-5004
ssvc Attend https://www.debian.org/security/2021/dsa-5004
cvssv3.1 8.5 https://www.oracle.com/security-alerts/cpuapr2022.html
cvssv3.1 8.5 https://www.oracle.com/security-alerts/cpuapr2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuapr2022.html
ssvc Attend https://www.oracle.com/security-alerts/cpuapr2022.html
cvssv3.1 8.5 https://www.oracle.com/security-alerts/cpujan2022.html
cvssv3.1 8.5 https://www.oracle.com/security-alerts/cpujan2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujan2022.html
ssvc Attend https://www.oracle.com/security-alerts/cpujan2022.html
cvssv3.1 8.5 https://www.oracle.com/security-alerts/cpujul2022.html
cvssv3.1 8.5 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2022.html
ssvc Attend https://www.oracle.com/security-alerts/cpujul2022.html
cvssv3.1 8.5 https://x-stream.github.io/CVE-2021-39144.html
cvssv3.1 8.5 https://x-stream.github.io/CVE-2021-39144.html
generic_textual HIGH https://x-stream.github.io/CVE-2021-39144.html
ssvc Attend https://x-stream.github.io/CVE-2021-39144.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39144.json
https://api.first.org/data/v1/epss?cve=CVE-2021-39144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39139
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39154
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/x-stream/xstream
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
https://nvd.nist.gov/vuln/detail/CVE-2021-39144
https://security.netapp.com/advisory/ntap-20210923-0003
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
1997772 https://bugzilla.redhat.com/show_bug.cgi?id=1997772
22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
998054 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998054
cpuapr2022.html https://www.oracle.com/security-alerts/cpuapr2022.html
cpujan2022.html https://www.oracle.com/security-alerts/cpujan2022.html
cpujul2022.html https://www.oracle.com/security-alerts/cpujul2022.html
CVE-2021-39144.html https://x-stream.github.io/CVE-2021-39144.html
dsa-5004 https://www.debian.org/security/2021/dsa-5004
GHSA-j9h8-phrw-h4fh https://github.com/advisories/GHSA-j9h8-phrw-h4fh
GHSA-j9h8-phrw-h4fh https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
msg00017.html https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
ntap-20210923-0003 https://security.netapp.com/advisory/ntap-20210923-0003/
PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
RHSA-2021:3956 https://access.redhat.com/errata/RHSA-2021:3956
RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296
RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297
RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520
RHSA-2023:1303 https://access.redhat.com/errata/RHSA-2023:1303
RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892
USN-5946-1 https://usn.ubuntu.com/5946-1/
VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
Data source Metasploit
Description VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance. VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13 are vulnerable to Remote Command Injection. This module exploits the vulnerability to upload and execute payloads gaining root privileges.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
  - artifacts-on-disk
Ransomware campaign use Unknown
Source publication date Oct. 25, 2022
Platform Linux,Unix
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Data source KEV
Date added March 10, 2023
Description XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation.
Required action Apply updates per vendor instructions.
Due date March 31, 2023
Note 
https://www.vmware.com/security/advisories/VMSA-2022-0027.html, https://x-stream.github.io/CVE-2021-39144.html; https://nvd.nist.gov/vuln/detail/CVE-2021-39144
Ransomware campaign use Unknown
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39144.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/x-stream/xstream
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-39144
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://security.netapp.com/advisory/ntap-20210923-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20210923-0003/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://security.netapp.com/advisory/ntap-20210923-0003/
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://www.debian.org/security/2021/dsa-5004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://www.debian.org/security/2021/dsa-5004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://www.debian.org/security/2021/dsa-5004
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://www.oracle.com/security-alerts/cpujan2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujan2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://www.oracle.com/security-alerts/cpujan2022.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://www.oracle.com/security-alerts/cpujul2022.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://x-stream.github.io/CVE-2021-39144.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://x-stream.github.io/CVE-2021-39144.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T19:37:39Z/ Found at https://x-stream.github.io/CVE-2021-39144.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.99935
EPSS Score 0.94255
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:08:14.064042+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 38.6.0