{"id":"MGASA-2021-0370","summary":"Updated xstream packages fix security vulnerabilities","details":"In XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to allocate 100% CPU time on the target system depending on\nCPU type or parallel execution of such a payload resulting in a denial of\nservice only by manipulating the processed input stream (CVE-2021-21341).\n\nIn XStream before version 1.4.16, there is a vulnerability where the processed\nstream at unmarshalling time contains type information to recreate the\nformerly written objects. XStream creates therefore new instances based on\nthese type information. An attacker can manipulate the processed input stream\nand replace or inject objects, that result in a server-side forgery request\n(CVE-2021-21342).\n\nIn XStream before version 1.4.16, there is a vulnerability where the processed\nstream at unmarshalling time contains type information to recreate the formerly\nwritten objects. XStream creates therefore new instances based on these type\ninformation. An attacker can manipulate the processed input stream and replace\nor inject objects, that result in the deletion of a file on the local host\n(CVE-2021-21343).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to load and execute arbitrary code from a remote host only by\nmanipulating the processed input stream (CVE-2021-21344).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker who has sufficient rights to execute commands of the host only\nby manipulating the processed input stream (CVE-2021-21345).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to load and execute arbitrary code from a remote host only by\nmanipulating the processed input stream (CVE-2021-21346).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to load and execute arbitrary code from a remote host only by\nmanipulating the processed input stream (CVE-2021-21347).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to occupy a thread that consumes maximum CPU time and will\nnever return (CVE-2021-21348).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to request data from internal resources that are not publicly\navailable only by manipulating the processed input stream (CVE-2021-21349).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to execute arbitrary code only by manipulating the processed\ninput stream (CVE-2021-21350).\n\nIn XStream before version 1.4.16, there is a vulnerability which may allow a\nremote attacker to load and execute arbitrary code from a remote host only by\nmanipulating the processed input stream (CVE-2021-21351).\n\nA vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker\nhas sufficient rights to execute commands of the host only by manipulating\nthe processed input stream (CVE-2021-29505).\n\nTheses vulnerabilities are mitigated if user followed the recommendation to\nsetup XStream's security framework with a whitelist limited to the minimal\nrequired types.\n","modified":"2026-02-02T11:49:49.980677Z","published":"2021-07-25T14:45:06Z","related":["CVE-2021-21341","CVE-2021-21342","CVE-2021-21343","CVE-2021-21344","CVE-2021-21345","CVE-2021-21346","CVE-2021-21347","CVE-2021-21348","CVE-2021-21349","CVE-2021-21350","CVE-2021-21351","CVE-2021-29505"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0370.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28844"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2021:1354"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2021/dla-2616"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-4943-1"},{"type":"REPORT","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/H2CFEJOW6N5BGEB6UU3SEQ3UF5C2UWJL/"}],"affected":[{"package":{"name":"xstream","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/xstream?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.15-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0370.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}