Search
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-7285 | 1 Xstream Project | 1 Xstream | 2022-04-25 | 7.5 HIGH | 9.8 CRITICAL |
| Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. | |||||
| CVE-2021-21351 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 6.5 MEDIUM | 9.1 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21350 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21347 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21346 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21345 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 6.5 MEDIUM | 9.9 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21344 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21342 | 4 Debian, Fedoraproject, Oracle and 1 more | 6 Debian Linux, Fedora, Banking Virtual Account Management and 3 more | 2022-02-16 | 5.8 MEDIUM | 9.1 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2019-10173 | 2 Oracle, Xstream Project | 10 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 7 more | 2021-07-20 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | |||||