CVE-2021-39149 (High) detected in xstream-1.4.15.jar - autoclosed
mend-bolt-for-github opened this issue · comments
CVE-2021-39149 - High Severity Vulnerability
Vulnerable Library - xstream-1.4.15.jar
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.15/xstream-1.4.15.jar
Dependency Hierarchy:
- sdk-1.0.9.jar (Root Library)
- ❌ xstream-1.4.15.jar (Vulnerable Library)
Found in HEAD commit: e277f2b66fafa1b41ac5b3e3447909848122b5f3
Found in base branch: master
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39149
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ccq-5vw3-2p6x
Release Date: 2021-08-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.18
Step up your Open Source Security Game with WhiteSource here
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.