xstreamproject xstream CVE-2021-39144 vulnerability in Xstreamproject and Other Products
Published on August 23, 2021

product logo product logo product logo product logo product logo product logo
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Github Repository Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This XStream Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects, that result in execution of a local command on the server. This vulnerability can affect multiple products including but not limited to VMware Cloud Foundation.

The following remediation steps are recommended / required by March 31, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2021-39144 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2021-39144 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Products Associated with CVE-2021-39144

You can be notified by stack.watch whenever vulnerabilities like CVE-2021-39144 are published in these products:


What versions are vulnerable to CVE-2021-39144?

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-39144

Package Manager Vulnerable Package Versions Fixed In
maven com.thoughtworks.xstream:xstream < 1.4.18 1.4.18