CVE-2021-21349
SSRF vulnerability in xstream (Maven)
What is CVE-2021-21349 About?
This XStream vulnerability allows a remote attacker to request data from internal resources by manipulating the processed input stream. The impact involves unauthorized access to internal network resources (SSRF). Exploitation requires crafted input, but can be prevented with a whitelist-based security framework.
Affected Software
Technical Details
The vulnerability is a Server-Side Request Forgery (SSRF) that allows a remote attacker to manipulate the processed input stream of XStream. This manipulation coerces the application into making requests to internal network resources that are not publicly available. This typically occurs because XStream's deserialization process can be tricked into constructing URLs or network requests based on attacker-controlled data, which are then resolved by the server, allowing access to resources behind firewalls or on internal networks. Like other XStream vulnerabilities, the default blacklist is insufficient, and a whitelist of minimal required types is recommended for mitigation.
What is the Impact of CVE-2021-21349?
Successful exploitation may allow attackers to access internal network resources, potentially leading to information disclosure, network mapping, or further attacks against internal systems.
What is the Exploitability of CVE-2021-21349?
Exploitation involves a remote attacker manipulating the processed input stream, requiring a moderate complexity level to craft the specific input to trigger the SSRF. There are no explicit authentication or privilege requirements; the attacker only needs the ability to send input to the affected XStream instance. This is a remote access scenario. Similar to other XStream issues, users who have configured the security framework with a whitelist are not affected. Risk factors include publicly accessible applications that use XStream and deserialize untrusted input without a strict security configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| s-index | Link | XStream SSRF CVE-2021-21349 |
What are the Available Fixes for CVE-2021-21349?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://x-stream.github.io/CVE-2021-21349.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-21349
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
What are Similar Vulnerabilities to CVE-2021-21349?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2021-43816 , CVE-2021-43297 , CVE-2020-13936 , CVE-2019-14061
