CVE-2021-21342
Server-Side Request Forgery vulnerability in xstream (Maven)
What is CVE-2021-21342 About?
This vulnerability in XStream allows an attacker to manipulate the processed input stream during unmarshalling to inject or replace objects. This can result in a Server-Side Request Forgery (SSRF) if the application processes untrusted input without a whitelist. Exploitation is difficult without prior knowledge of the application's deserialization points and object structure.
Affected Software
Technical Details
During the unmarshalling process, XStream uses type information to reconstruct objects from the processed stream. An attacker can manipulate this stream to replace or inject malicious objects. This can lead to a Server-Side Request Forgery (SSRF) attack. By crafting the input to reference internal or external resources that the server can access, the attacker can coerce the server into making requests to arbitrary internal or external URLs. This is particularly problematic if the application is not configured with XStream's security framework using a strict whitelist of allowed types, allowing the attacker to introduce unintended object types that trigger network requests.
What is the Impact of CVE-2021-21342?
Successful exploitation may allow attackers to force the server to make arbitrary requests to internal or external resources, potentially leading to information disclosure, access to internal systems, or port scanning.
What is the Exploitability of CVE-2021-21342?
Exploitation complexity is moderate to high, as it requires a detailed understanding of the application's object graph and the ability to craft highly specific malicious XML or other serialized input. Authentication requirements depend on whether the deserialization endpoint requires authentication; if not, it can be a remote, unauthenticated attack. Privilege requirements are typically those of a standard user capable of providing input to the affected deserialization mechanism. The primary risk factor is the application processing untrusted serialized data (e.g., XML) with XStream without implementing a strict type whitelist in XStream's security framework.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21342?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-21342
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://x-stream.github.io/security.html#workaround
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
What are Similar Vulnerabilities to CVE-2021-21342?
Similar Vulnerabilities: CVE-2023-46849 , CVE-2023-42795 , CVE-2023-38545 , CVE-2023-28432 , CVE-2022-35805
