CVE-2021-29505
high-risk
Published 2021-05-28
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Do I need to act?
!
90.8% chance of exploitation in next 30 days
EPSS score — higher than 9% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ HIGH complexity
Affected Products (20)
Affected Vendors
References (28)
Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
Third Party Advisory
https://www.debian.org/security/2021/dsa-5004
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
and 8 more references
66
/ 100
high-risk
Severity
22/34 · High
Exploitability
20/34 · Moderate
Exposure
24/34 · High