CVE-2021-39146— XStream 代码问题漏洞
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2021-39146 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
XStream is vulnerable to an Arbitrary Code Execution attack
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
危险类型文件的不加限制上传
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
XStream 代码问题漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
XStream是XStream(Xstream)团队的一个轻量级的、简单易用的开源Java类库,它主要用于将对象序列化成XML(JSON)或反序列化为对象。 XStream 1.4.18之前版本存在代码问题漏洞,攻击者可利用该漏洞通过操纵已处理的输入流从远程主机加载和执行任意代码
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
二、漏洞 CVE-2021-39146 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39146.yaml | POC详情 |
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2021-39146 的情报信息
请登录查看更多情报信息。
- https://x-stream.github.io/CVE-2021-39146.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpujan2022.htmlx_refsource_MISC
- https://security.netapp.com/advisory/ntap-20210923-0003/x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpujul2022.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpuapr2022.htmlx_refsource_MISC
- https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8fx_refsource_CONFIRM
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/vendor-advisoryx_refsource_FEDORA
- https://nvd.nist.gov/vuln/detail/CVE-2021-39146
同批安全公告 · x-stream · 2021-08-23 · 共 14 条
| CVE-2021-39139 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39141 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39144 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39145 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39147 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39148 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39149 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39150 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39151 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39152 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39153 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39154 | 8.5 HIGH | XStream 代码问题漏洞 |
| CVE-2021-39140 | 6.5 MEDIUM | XStream 安全漏洞 |
IV. Related Vulnerabilities
V. Comments for CVE-2021-39146
暂无评论