CVE-2021-29505

Description

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

How to fix CVE-2021-29505

To remediate CVE-2021-29505, upgrade the affected package to a fixed version below.

• —upgrade to 1.4.15-3 or later
• —upgrade to 1.4.11.1-1+deb9u3 or later
• —upgrade to 1.4.17 or later

Is CVE-2021-29505 being exploited?

Likely — EPSS is 90.3%, placing CVE-2021-29505 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

• from 0, < 1.4.15-3
• from 0, < 1.4.11.1-1+deb9u3
• from 0, < 1.4.17

CVSS scores

References (22)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29505
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-29505
• PATCHgithub.com/x-stream/xstream
• WEBgithub.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f