Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Multiple Vulnerabilities Found in XStream
Alerts

Multiple Vulnerabilities Found in XStream

15 March 2021

XStream, is an open-source Java library to serialise objects to XML and back again, has released security patches to address multiple vulnerabilities in the product. Some of the vulnerabilities were rated as critical and could lead to a remote code execution attack.

These vulnerabilities are:

  • CVE-2021-21341 -  A vulnerability that could cause a Denial of Service.

  • CVE-2021-21342, CVE-2021-21349 - Server-Side Forgery Request (SSRF) vulnerabilities which could be activated via unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the localhost.

  • CVE-2021-21343 - XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling if the executing process has sufficient rights. 

  • CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21350, CVE-2021-21351 - XStream is vulnerable to an Arbitrary Code Execution attack

  • CVE-2021-21345 -  - XStream is vulnerable to an Arbitrary Command Execution attack.

  • CVE-2021-21348 -  XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos).


All versions prior to and including version 1.4.15 are affected by these vulnerabilities. Users and administrators of the affected versions are advised to upgrade to the latest product versions immediately.

More information is available here:
https://x-stream.github.io/security.html 

Back to top