5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21344

GHSA ID

GHSA-59jw-jqf4-3wq3

EPSS Score

0.96208%

CWE

CWE-434

Published

3/22/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21344

CVE-2021-21344: XStream is vulnerable to an Arbitrary Code Execution attack

Impact

The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Patches

If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Workarounds

See workarounds for the different versions covering all CVEs.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-21344.

Credits

钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.

For more information

If you have any questions or comments about this advisory:

Open an issue in XStream
Contact us at XStream Google Group

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21344

GHSA ID

GHSA-59jw-jqf4-3wq3

EPSS Score

0.96208%

CWE

CWE-434

Published

3/22/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.thoughtworks.xstream:xstream	maven	< 1.4.16	1.4.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis focuses on XStream's deserialization process and its security framework. The identified functions are directly related to how XStream handles untrusted input and config.php its security settings. The primary vulnerable functions are those involved in the deserialization process, such as 'unmarshal' and 'fromXML', as they directly process potentially malicious input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility m*y *llow * r*mot* *tt**k*r to lo** *n* *x**ut* *r*itr*ry *o** *rom * r*mot* *ost only *y m*nipul*tin* t** pro**ss** input str**m. No us*r is *****t**, w*o *ollow** t** r**omm*n**tion to s*tup XStr**m's s**urity *r*m*work

Reasoning

T** *n*lysis *o*us*s on XStr**m's **s*ri*liz*tion pro**ss *n* its s**urity *r*m*work. T** i**nti*i** *un*tions *r* *ir**tly r*l*t** to *ow XStr**m **n*l*s untrust** input *n* `*on*i*.p*p` its s**urity s*ttin*s. T** prim*ry vuln*r**l* *un*tions *r* t*

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-21344: XStream is vulnerable to an Arbitrary Code Execution attack

Impact

Patches

Workarounds

References

Credits

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI