{"id":"UBUNTU-CVE-2021-39151","details":"XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.","modified":"2026-01-30T02:54:04.675925Z","published":"2021-08-23T18:15:00Z","related":["USN-5946-1"],"upstream":["CVE-2021-39151"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-39151"},{"type":"REPORT","url":"https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4"},{"type":"REPORT","url":"https://x-stream.github.io/CVE-2021-39151.html"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5946-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-39151"}],"affected":[{"package":{"name":"libxstream-java","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/libxstream-java@1.4.11.1-1+deb10u4build0.18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.11.1-1+deb10u4build0.18.04.1"}]}],"versions":["1.4.10-1","1.4.11.1-1~18.04","1.4.11.1-1~18.04.1","1.4.11.1-1~18.04.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"libxstream-java","binary_version":"1.4.11.1-1+deb10u4build0.18.04.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-39151.json"}},{"package":{"name":"libxstream-java","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libxstream-java@1.4.11.1-1ubuntu0.3?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.11.1-1ubuntu0.3"}]}],"versions":["1.4.11.1-1","1.4.11.1-1ubuntu0.1","1.4.11.1-1ubuntu0.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"libxstream-java","binary_version":"1.4.11.1-1ubuntu0.3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-39151.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}