CVE-2021-21345 (Medium) Detected In Xstream-1.4.5.jar
Understanding the Vulnerability
CVE-2021-21345 - Medium Severity Vulnerability
XStream is a serialization library from Java objects to XML and back. It is a widely used library in various applications, but it has a vulnerability that can be exploited by a remote attacker. In this article, we will discuss the CVE-2021-21345 vulnerability, its impact, and the suggested fix.
Vulnerable Library - xstream-1.4.5.jar
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Dependency Hierarchy
The vulnerable library, xstream-1.4.5.jar, is found in the dependency hierarchy of the project. The dependency hierarchy is as follows:
- :x: xstream-1.4.5.jar (Vulnerable Library)
Found in HEAD Commit and Base Branch
The vulnerable library was found in the HEAD commit and the base branch of the project. The HEAD commit is b19938a045bfea1defab9c2a9a22e57af023d02a, and the base branch is main.
Vulnerability Details
Vulnerability Details
The CVE-2021-21345 vulnerability is a medium severity vulnerability that can be exploited by a remote attacker. The vulnerability allows a remote attacker to execute commands of the host by manipulating the processed input stream. The vulnerability is present in XStream before version 1.4.16.
Publish Date and URL
The publish date of the vulnerability is 2021-03-22, and the URL is https://www.mend.io/vulnerability-database/CVE-2021-21345.
CVSS 3 Score Details
CVSS 3 Score Details (5.8)
The CVSS 3 score of the vulnerability is 5.8. The base score metrics are as follows:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Suggested Fix
The suggested fix for the CVE-2021-21345 vulnerability is to upgrade the version of XStream to at least 1.4.16. The type of the fix is an upgrade version, and the origin is https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4. The release date of the fix is 2021-03-22, and the fix resolution is 1.4.16.
Automated Fix PR
Automated Fix PR
To open an automated PR, check the box below:
- [ ] Check this box to open an automated fix PR
Q: What is XStream and why is it vulnerable?
A: XStream is a Java library used for serializing objects to XML and back again. It is a widely used library in various applications. The CVE-2021-21345 vulnerability is present in XStream before version 1.4.16, which allows a remote attacker to execute commands of the host by manipulating the processed input stream.
Q: What is the impact of the CVE-2021-21345 vulnerability?
A: The CVE-2021-21345 vulnerability is a medium severity vulnerability that can be exploited by a remote attacker. The vulnerability allows a remote attacker to execute commands of the host by manipulating the processed input stream. The impact of the vulnerability is high, as it can lead to unauthorized access to the system and data.
Q: What are the CVSS 3 score details of the CVE-2021-21345 vulnerability?
A: The CVSS 3 score of the CVE-2021-21345 vulnerability is 5.8. The base score metrics are as follows:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Q: What is the suggested fix for the CVE-2021-21345 vulnerability?
A: The suggested fix for the CVE-2021-21345 vulnerability is to upgrade the version of XStream to at least 1.4.16. The type of the fix is an upgrade version, and the origin is https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4. The release date of the fix is 2021-03-22, and the fix resolution is 1.4.16.
Q: How can I prevent the CVE-2021-21345 vulnerability from occurring in the future?
A: To prevent the CVE-2021-21345 vulnerability from occurring in the future, you should:
- Keep your dependencies up-to-date and secure.
- Regularly update your XStream version to the latest version.
- Use a whitelist limited to the minimal required types in XStream's security framework.
- Avoid relying on XStream's default blacklist of the Security Framework.
Q: What is the impact of not fixing the CVE-2021-21345 vulnerability?
A: If the CVE-2021-21345 vulnerability is not fixed, a remote attacker can exploit it to execute commands of the host by manipulating the processed input stream. This can lead to unauthorized access to the system and data, and potentially cause significant damage to the system and data.
Q: How can I verify that the CVE-2021-21345 vulnerability has been fixed?
A: To verify that the CVE-2021-21345 vulnerability has been fixed, you should:
- Check the version of XStream in your project.
- Verify that the version of XStream at least 1.4.16.
- Use a vulnerability scanner or a security tool to scan your project for vulnerabilities.
By following these steps, you can verify that the CVE-2021-21345 vulnerability has been fixed and prevent it from occurring in the future.