How severe is CVE-2021-39139?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2021-39139?

This is classified as CWE-434, which is a common weakness in software security.

CVE-2021-39139 - HIGH Severity | CVSS 8.8

Vulnerability Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Related Vulnerabilities

CVE-2010-3663

HIGH

CVSS:8.8(High)

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arb...

CWE-4342010

CVE-2011-1597

HIGH

CVSS:8.8(High)

OpenVAS Manager v2.0.3 allows plugin remote code execution.

CWE-4342011

CVE-2011-4334

HIGH

CVSS:8.8(High)

edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the user...

CWE-4342011

CVE-2012-1592

HIGH

CVSS:8.8(High)

A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.

CWE-4342012

CVE-2013-1916

HIGH

CVSS:8.8(High)

In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (exe...

CWE-4342013

CVE-2013-3591

HIGH

CVSS:8.8(High)

vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

CWE-4342013