logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-39150 com.thoughtworks.xstream:xstream

Package

Manager: maven
Name: com.thoughtworks.xstream:xstream
Vulnerable Version: >=0 <1.4.18

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01952 pctl0.82756

Details

A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host ### Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39150](https://x-stream.github.io/CVE-2021-39150.html). ### Credits Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)

Metadata

Created: 2021-08-25T14:47:19Z
Modified: 2022-02-08T20:43:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-cxfm-5m4g-x7xp/GHSA-cxfm-5m4g-x7xp.json
CWE IDs: ["CWE-502", "CWE-918"]
Alternative ID: GHSA-cxfm-5m4g-x7xp
Finding: F100
Auto approve: 1