CVE-2021-21348
XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
How to fix CVE-2021-21348
To remediate CVE-2021-21348, upgrade the affected package to a fixed version below.
- —upgrade to 5.15.14 or later
- —upgrade to 1.4.15-2 or later
- —upgrade to 1.4.16 or later
Is CVE-2021-21348 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
- from 0, < 1.4.15-2
- from 0, < 1.4.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H |