{ "schema_version": "1.4.0", "id": "GHSA-6wf9-jmg9-vxcc", "modified": "2022-02-08T20:59:06Z", "published": "2021-08-25T14:48:39Z", "aliases": [ "CVE-2021-39140" ], "summary": "XStream can cause a Denial of Service", "details": "### Impact\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39140](https://x-stream.github.io/CVE-2021-39140.html).\n\n### Credits\nThe vulnerability was discovered and reported by Lai Han of nsfocus security team.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "com.thoughtworks.xstream:xstream" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.4.18" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140" }, { "type": "PACKAGE", "url": "https://github.com/x-stream/xstream" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210923-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://x-stream.github.io/CVE-2021-39140.html" } ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-835" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-23T18:22:01Z", "nvd_published_at": "2021-08-23T19:15:00Z" } }