Partial details (5 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the WhiteSource Application.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
XStream is a serialization library from Java objects to XML and back.
Found in HEAD commit: 50449e8346df657611a75bc79e49c2e4cb325b5b
Vulnerabilities
Details
CVE-2021-21345
### Vulnerable Library - xstream-1.4.5.jarXStream is a serialization library from Java objects to XML and back.
Dependency Hierarchy: - :x: **xstream-1.4.5.jar** (Vulnerable Library)
Found in HEAD commit: 50449e8346df657611a75bc79e49c2e4cb325b5b
Found in base branch: main
### Vulnerability DetailsXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21345
### CVSS 3 Score Details (9.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
CVE-2021-21344
### Vulnerable Library - xstream-1.4.5.jarXStream is a serialization library from Java objects to XML and back.
Dependency Hierarchy: - :x: **xstream-1.4.5.jar** (Vulnerable Library)
Found in HEAD commit: 50449e8346df657611a75bc79e49c2e4cb325b5b
Found in base branch: main
### Vulnerability DetailsXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21344
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
CVE-2013-7285
### Vulnerable Library - xstream-1.4.5.jarXStream is a serialization library from Java objects to XML and back.
Dependency Hierarchy: - :x: **xstream-1.4.5.jar** (Vulnerable Library)
Found in HEAD commit: 50449e8346df657611a75bc79e49c2e4cb325b5b
Found in base branch: main
### Vulnerability DetailsXstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Publish Date: 2019-05-15
URL: CVE-2013-7285
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
Release Date: 2019-05-15
Fix Resolution: 1.4.7,1.4.11
CVE-2021-21350
### Vulnerable Library - xstream-1.4.5.jarXStream is a serialization library from Java objects to XML and back.
Dependency Hierarchy: - :x: **xstream-1.4.5.jar** (Vulnerable Library)
Found in HEAD commit: 50449e8346df657611a75bc79e49c2e4cb325b5b
Found in base branch: main
### Vulnerability DetailsXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21350
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
CVE-2021-21347
### Vulnerable Library - xstream-1.4.5.jarXStream is a serialization library from Java objects to XML and back.
Dependency Hierarchy: - :x: **xstream-1.4.5.jar** (Vulnerable Library)
Found in HEAD commit: 50449e8346df657611a75bc79e49c2e4cb325b5b
Found in base branch: main
### Vulnerability DetailsXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21347
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16