CVE-2021-39139
8.5 HIGHXStream is a simple library to serialize objects to XML and back again
Published: 2021-08-23 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- CWE
- CWE-434, CWE-502
Affected products
| Vendor | Product |
|---|---|
| debian | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| fedoraproject | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| netapp | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| oracle | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| xstream | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39139
- [Other]https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- [Other]https://security.netapp.com/advisory/ntap-20210923-0003/
- [Other]https://www.debian.org/security/2021/dsa-5004
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Vendor advisory]https://x-stream.github.io/CVE-2021-39139.html
- [Other]https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- [Other]https://security.netapp.com/advisory/ntap-20210923-0003/
- [Other]https://www.debian.org/security/2021/dsa-5004
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Vendor advisory]https://x-stream.github.io/CVE-2021-39139.html
Related CVEs
Same vendor
- CVE-2026-35273 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) (9.8 CRITICAL)
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-46843 — Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
- CVE-2026-46842 — Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
- CVE-2026-46841 — Vulnerability in Oracle REST Data Services (component: General) (5.3 MEDIUM)
Same CWE
- CVE-2026-48775 — LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
- CVE-2026-10748 — An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
- CVE-2026-24228 — NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
- CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
- CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)