CVE-2021-39144

KEV
Published: Ago 23, 2021 Last Modified: Ott 24, 2025
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
MEDIUM 6,0
Source: [email protected]
Access Vector: network
Access Complexity: medium
Authentication: single
Confidentiality: partial
Integrity: partial
Availability: partial

Description

AI Translation Available

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,9438
Percentile
1,0th
Updated

EPSS Score Trend (Last 90 Days)

94

Improper Control of Generation of Code ('Code Injection')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Integrity Confidentiality Availability Non-Repudiation
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities
Applicable Platforms
Languages: Interpreted
Technologies: AI/ML
Likelihood of Exploit: Medium
View CWE Details
306

Missing Authentication for Critical Function

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Other
Potential Impacts:
Gain Privileges Or Assume Identity Varies By Context
Applicable Platforms
Technologies: Cloud Computing, ICS/OT
Likelihood of Exploit: High
View CWE Details
502

Deserialization of Untrusted Data

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Other
Potential Impacts:
Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context
Applicable Platforms
Languages: Java, JavaScript, PHP, Python, Ruby
Technologies: AI/ML, ICS/OT, Not Technology-Specific
Likelihood of Exploit: Medium
View CWE Details
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 19.0.2
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Unified Inventory Management by Oracle

Product Information
Vendor Oracle
Product Communications Unified Inventory Management
Version 7.3.4
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Unified Inventory Management by Oracle

Product Information
Vendor Oracle
Product Communications Unified Inventory Management
Version 7.3.5
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Framework by Oracle

Product Information
Vendor Oracle
Product Utilities Framework
Version 4.2.0.3.0
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Product Information
Vendor Oracle
Product Communications Billing And Revenue Management Elastic Charging Engine
Version 12.0
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Snapmanager by Netapp

Product Information
Vendor Netapp
Product Snapmanager
Version -
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Commerce Guided Search by Oracle

Product Information
Vendor Oracle
Product Commerce Guided Search
Version 11.3.2
cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Framework by Oracle

Product Information
Vendor Oracle
Product Utilities Framework
Version 4.4.0.0.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Policy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Policy
Version 1.14.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 18.0.3
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 16.0.6
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Unified Inventory Management by Oracle

Product Information
Vendor Oracle
Product Communications Unified Inventory Management
Version 7.4.0
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Framework by Oracle

Product Information
Vendor Oracle
Product Utilities Framework
Version 4.2.0.2.0
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Webcenter Portal by Oracle

Product Information
Vendor Oracle
Product Webcenter Portal
Version 12.2.1.4.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Product Information
Vendor Oracle
Product Communications Billing And Revenue Management Elastic Charging Engine
Version 11.3
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Snapmanager by Netapp

Product Information
Vendor Netapp
Product Snapmanager
Version -
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Framework by Oracle

Product Information
Vendor Oracle
Product Utilities Framework
Version 4.4.0.2.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Framework by Oracle

Product Information
Vendor Oracle
Product Utilities Framework
Version 4.4.0.3.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Framework by Oracle

Product Information
Vendor Oracle
Product Utilities Framework
Version 4.3.0.6.0
cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Framework by Oracle

Product Information
Vendor Oracle
Product Utilities Framework
Version 4.3.0.1.0
cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Xstream by Xstream

Product Information
Vendor Xstream
Product Xstream
Version Range Affected
To 1.4.18 (exclusive)
cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Utilities Testing Accelerator by Oracle

Product Information
Vendor Oracle
Product Utilities Testing Accelerator
Version 6.0.0.1.1
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Automated Test Suite by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Automated Test Suite
Version 1.9.0
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 20.0.1
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Unified Inventory Management by Oracle

Product Information
Vendor Oracle
Product Communications Unified Inventory Management
Version 7.4.1
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Binding Support Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Binding Support Function
Version 1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Business Activity Monitoring by Oracle

Product Information
Vendor Oracle
Product Business Activity Monitoring
Version 12.2.1.4.0
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Webcenter Portal by Oracle

Product Information
Vendor Oracle
Product Webcenter Portal
Version 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 17.0.4
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Unified Inventory Management by Oracle

Product Information
Vendor Oracle
Product Communications Unified Inventory Management
Version 7.4.2
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://www.cisa.gov/known-exploited-vulnerabilities-catalo…
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021…
http://packetstormsecurity.com/files/169859/VMware-NSX-Mana…
http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthen…
https://github.com/x-stream/xstream/security/advisories/GHS…
https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
https://lists.debian.org/debian-lts-announce/2021/09/msg000…
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.netapp.com/advisory/ntap-20210923-0003/
https://security.netapp.com/advisory/ntap-20210923-0003/
https://www.debian.org/security/2021/dsa-5004
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://x-stream.github.io/CVE-2021-39144.html
https://x-stream.github.io/CVE-2021-39144.html
http://packetstormsecurity.com/files/169859/VMware-NSX-Mana…
http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthen…
https://github.com/x-stream/xstream/security/advisories/GHS…
https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
https://lists.debian.org/debian-lts-announce/2021/09/msg000…
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.netapp.com/advisory/ntap-20210923-0003/
https://security.netapp.com/advisory/ntap-20210923-0003/
https://www.debian.org/security/2021/dsa-5004
https://www.debian.org/security/2021/dsa-5004
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://x-stream.github.io/CVE-2021-39144.html
https://x-stream.github.io/CVE-2021-39144.html