{"id":"USN-4943-1","summary":"libxstream-java vulnerabilities","details":"Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code\nexecution. A remote attacker could run arbitrary shell commands by\nmanipulating the processed input stream. This issue affected only affected\nUbuntu 20.10. (CVE-2020-26217)\n\nIt was discovered that XStream was vulnerable to server-side forgery attacks.\nA remote attacker could request data from internal resources that are not\npublicly available only by manipulating the processed input stream. This\nissue only affected Ubuntu 20.10. (CVE-2020-26258)\n\nIt was discovered that XStream was vulnerable to arbitrary file deletion on\nthe local host. A remote attacker could use this to delete arbitrary known\nfiles on the host as long as the executing process had sufficient rights only\nby manipulating the processed input stream. This issue only affected\nUbuntu 20.10. (CVE-2020-26259)\n\nIt was discovered that XStream was vulnerable to denial of service,\narbitrary code execution, arbitrary file deletion and server-side forgery\nattacks. A remote attacker could cause any of those issues by manipulating\nthe processed input stream. (CVE-2021-21341, CVE-2021-21342, CVE-2021-21343\nCVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347,\nCVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351)\n","modified":"2026-02-10T04:42:09Z","published":"2021-05-11T09:41:13Z","related":["UBUNTU-CVE-2020-26217","UBUNTU-CVE-2020-26258","UBUNTU-CVE-2020-26259","UBUNTU-CVE-2021-21341","UBUNTU-CVE-2021-21342","UBUNTU-CVE-2021-21343","UBUNTU-CVE-2021-21344","UBUNTU-CVE-2021-21345","UBUNTU-CVE-2021-21346","UBUNTU-CVE-2021-21347","UBUNTU-CVE-2021-21348","UBUNTU-CVE-2021-21349","UBUNTU-CVE-2021-21350","UBUNTU-CVE-2021-21351"],"upstream":["CVE-2020-26217","CVE-2020-26258","CVE-2020-26259","CVE-2021-21341","CVE-2021-21342","CVE-2021-21343","CVE-2021-21344","CVE-2021-21345","CVE-2021-21346","CVE-2021-21347","CVE-2021-21348","CVE-2021-21349","CVE-2021-21350","CVE-2021-21351","UBUNTU-CVE-2020-26217","UBUNTU-CVE-2020-26258","UBUNTU-CVE-2020-26259","UBUNTU-CVE-2021-21341","UBUNTU-CVE-2021-21342","UBUNTU-CVE-2021-21343","UBUNTU-CVE-2021-21344","UBUNTU-CVE-2021-21345","UBUNTU-CVE-2021-21346","UBUNTU-CVE-2021-21347","UBUNTU-CVE-2021-21348","UBUNTU-CVE-2021-21349","UBUNTU-CVE-2021-21350","UBUNTU-CVE-2021-21351"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4943-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-26217"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-26258"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-26259"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21341"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21342"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21343"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21344"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21345"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21346"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21347"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21348"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21349"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21350"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21351"}],"affected":[{"package":{"name":"libxstream-java","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/libxstream-java@1.4.11.1-1~18.04.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.11.1-1~18.04.2"}]}],"versions":["1.4.10-1","1.4.11.1-1~18.04","1.4.11.1-1~18.04.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"libxstream-java","binary_version":"1.4.11.1-1~18.04.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4943-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21341"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21342"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21343"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21344"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21345"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21346"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21347"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}],"id":"CVE-2021-21348"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21349"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21350"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21351"}],"ecosystem":"Ubuntu:18.04:LTS"}}},{"package":{"name":"libxstream-java","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libxstream-java@1.4.11.1-1ubuntu0.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.11.1-1ubuntu0.2"}]}],"versions":["1.4.11.1-1","1.4.11.1-1ubuntu0.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"libxstream-java","binary_version":"1.4.11.1-1ubuntu0.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4943-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21341"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21342"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21343"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21344"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21345"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21346"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21347"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}],"id":"CVE-2021-21348"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21349"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21350"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-21351"}],"ecosystem":"Ubuntu:20.04:LTS"}}}],"schema_version":"1.7.3"}