CVE-2021-21349

HIGH Year: 2021
CVSS v3 Score
8.6
High
CVSS v2 Score
5.0
Medium
Weakness Type
CWE-502
View all →

Vulnerability Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Related Vulnerabilities

CVE-2021-21371

HIGH
CVSS:8.6(High)

Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pyp...

CWE-5022021

CVE-2021-27475

HIGH
CVSS:8.6(High)

Rockwell Automation Connected Components Workbench v12.00.00 and prior does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object t...

CWE-5022021

CVE-2025-1403

HIGH
CVSS:8.6(High)

Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a ...

CWE-5022025

CVE-2021-39150

HIGH
CVSS:8.5(High)

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicl...

CWE-5022021

CVE-2021-39152

HIGH
CVSS:8.5(High)

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicl...

CWE-5022021

CVE-2024-24842

HIGH
CVSS:8.7(High)

Deserialization of Untrusted Data vulnerability in Echo Plugins Knowledge Base for Documentation, FAQs with AI Assistance.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: ...

CWE-5022024