CVE-2021-39144
8.5 HIGHXStream is a simple library to serialize objects to XML and back again
Published: 2021-08-23 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- CWE
- CWE-306, CWE-502, CWE-94
Affected products
| Vendor | Product |
|---|---|
| debian | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| fedoraproject | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| netapp | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| oracle | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
| xstream | business_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine |
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39144
- [Exploit reference]http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
- [Vendor advisory]https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- [Other]https://security.netapp.com/advisory/ntap-20210923-0003/
- [Other]https://www.debian.org/security/2021/dsa-5004
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Vendor advisory]https://x-stream.github.io/CVE-2021-39144.html
- [Exploit reference]http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
- [Vendor advisory]https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- [Other]https://security.netapp.com/advisory/ntap-20210923-0003/
- [Other]https://www.debian.org/security/2021/dsa-5004
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Vendor advisory]https://x-stream.github.io/CVE-2021-39144.html
- [Other]https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
Related CVEs
Same vendor
- CVE-2026-35273 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) (9.8 CRITICAL)
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-46843 — Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
- CVE-2026-46842 — Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
- CVE-2026-46841 — Vulnerability in Oracle REST Data Services (component: General) (5.3 MEDIUM)
Same CWE
- CVE-2026-48775 — LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
- CVE-2026-10748 — An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
- CVE-2026-24228 — NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
- CVE-2026-24155 — NVIDIA NeMo Framework for all platforms contains a code injection vulnerability (7.8 HIGH)
- CVE-2026-0647 — An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server