CVE-2021-39153 (High) detected in xstream-1.3.1.jar - autoclosed
Closed this issue · 1 comments
CVE-2021-39153 - High Severity Vulnerability
Vulnerable Library - xstream-1.3.1.jar
Path to dependency file: /ready-api-plugin-template/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/thoughtworks/xstream/1.3.1/xstream-1.3.1.jar
Dependency Hierarchy:
- ready-api-soapui-pro-1.7.0.jar (Root Library)
- ready-api-soapui-1.7.0.jar
- ❌ xstream-1.3.1.jar (Vulnerable Library)
- ready-api-soapui-1.7.0.jar
Found in base branch: master
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39153
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
Release Date: 2021-08-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.18
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.