{ "schema_version": "1.4.0", "id": "GHSA-cxfm-5m4g-x7xp", "modified": "2022-02-08T20:43:26Z", "published": "2021-08-25T14:47:19Z", "aliases": [ "CVE-2021-39150" ], "summary": "A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", "details": "### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39150](https://x-stream.github.io/CVE-2021-39150.html).\n\n### Credits\nLai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "com.thoughtworks.xstream:xstream" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.4.18" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39150" }, { "type": "PACKAGE", "url": "https://github.com/x-stream/xstream" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210923-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://x-stream.github.io/CVE-2021-39150.html" } ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-23T18:22:24Z", "nvd_published_at": "2021-08-23T19:15:00Z" } }