CVE-2021-29505
📊 7.5 HIGH⚡ 90.8%🎯 2 exploits
📅 Published May 28, 2021
📋 Status: Modified
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CVSS v3.1 • [email protected]
🎯 Affected Products & Systems
42 product configurations affected
Filter by type:
| Type | Vendor | Product | Version Range | Status | CPE String |
|---|---|---|---|---|---|
📱App | xstream | xstream | < 1.4.17 | Vulnerable | cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:* |
💻OS | debian | debian linux | 9.0 | Vulnerable | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
💻OS | debian | debian linux | 10.0 | Vulnerable | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
💻OS | debian | debian linux | 11.0 | Vulnerable | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
💻OS | fedoraproject | fedora | 33 | Vulnerable | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
💻OS | fedoraproject | fedora | 34 | Vulnerable | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
💻OS | fedoraproject | fedora | 35 | Vulnerable | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
📱App | netapp | snapmanager | All versions Target SW: oracle | Vulnerable | cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:* |
📱App | netapp | snapmanager | All versions Target SW: sap | Vulnerable | cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:* |
📱App | oracle | banking cash management | 14.2 | Vulnerable | cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:* |
📱App | oracle | banking cash management | 14.3 | Vulnerable | cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:* |
📱App | oracle | banking cash management | 14.5 | Vulnerable | cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:* |
📱App | oracle | banking corporate lending process management | 14.2.0 | Vulnerable | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* |
📱App | oracle | banking corporate lending process management | 14.3.0 | Vulnerable | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* |
📱App | oracle | banking corporate lending process management | 14.5.0 | Vulnerable | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* |
📱App | oracle | banking credit facilities process management | 14.2.0 | Vulnerable | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* |
📱App | oracle | banking credit facilities process management | 14.3.0 | Vulnerable | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* |
📱App | oracle | banking credit facilities process management | 14.5.0 | Vulnerable | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* |
📱App | oracle | banking supply chain finance | 14.2.0 | Vulnerable | cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* |
📱App | oracle | banking trade finance process management | 14.5.0 | Vulnerable | cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:* |
📱App | oracle | business activity monitoring | 11.1.1.9.0 | Vulnerable | cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:* |
📱App | oracle | business activity monitoring | 12.2.1.3.0 | Vulnerable | cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:* |
📱App | oracle | business activity monitoring | 12.2.1.4.0 | Vulnerable | cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* |
📱App | oracle | communications brm - elastic charging engine | 11.3 | Vulnerable | cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:* |
📱App | oracle | communications brm - elastic charging engine | 12.0 | Vulnerable | cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:* |
📱App | oracle | communications unified inventory management | 7.3.4 | Vulnerable | cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* |
📱App | oracle | communications unified inventory management | 7.3.5 | Vulnerable | cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* |
📱App | oracle | communications unified inventory management | 7.4.0 | Vulnerable | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* |
📱App | oracle | communications unified inventory management | 7.4.1 | Vulnerable | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* |
📱App | oracle | communications unified inventory management | 7.4.2 | Vulnerable | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* |
📱App | oracle | enterprise manager ops center | 12.4.0.0 | Vulnerable | cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* |
📱App | oracle | retail customer insights | 15.0.2 | Vulnerable | cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:* |
📱App | oracle | retail customer insights | 16.0.2 | Vulnerable | cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:* |
📱App | oracle | retail xstore point of service | 16.0.6 | Vulnerable | cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* |
📱App | oracle | retail xstore point of service | 17.0.4 | Vulnerable | cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* |
📱App | oracle | retail xstore point of service | 18.0.3 | Vulnerable | cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* |
📱App | oracle | retail xstore point of service | 19.0.2 | Vulnerable | cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* |
📱App | oracle | retail xstore point of service | 20.0.1 | Vulnerable | cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* |
📱App | oracle | webcenter portal | 12.2.1.3.0 | Vulnerable | cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* |
📱App | oracle | webcenter portal | 12.2.1.4.0 | Vulnerable | cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* |
📱App | oracle | webcenter sites | 12.2.1.3.0 | Vulnerable | cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* |
📱App | oracle | webcenter sites | 12.2.1.4.0 | Vulnerable | cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* |
Version: < 1.4.17
CPE:
cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
💻
VulnerableOperating System
Version: 9.0
CPE:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
💻
VulnerableOperating System
Version: 10.0
CPE:
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
💻
VulnerableOperating System
Version: 11.0
CPE:
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
💻
VulnerableOperating System
Version: 33
CPE:
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
💻
VulnerableOperating System
Version: 34
CPE:
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
💻
VulnerableOperating System
Version: 35
CPE:
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: All versions
Target SW: oracle
CPE:
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
📱
VulnerableApplication
Version: All versions
Target SW: sap
CPE:
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
📱
VulnerableApplication
Version: 14.2
CPE:
cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.3
CPE:
cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.5
CPE:
cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.2.0
CPE:
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.3.0
CPE:
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.5.0
CPE:
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.2.0
CPE:
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.3.0
CPE:
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.5.0
CPE:
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.2.0
CPE:
cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 14.5.0
CPE:
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 11.1.1.9.0
CPE:
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.2.1.3.0
CPE:
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.2.1.4.0
CPE:
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 11.3
CPE:
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.0
CPE:
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.3.4
CPE:
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.3.5
CPE:
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4.0
CPE:
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4.1
CPE:
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4.2
CPE:
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.4.0.0
CPE:
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 15.0.2
CPE:
cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 16.0.2
CPE:
cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 16.0.6
CPE:
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 17.0.4
CPE:
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 18.0.3
CPE:
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 19.0.2
CPE:
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 20.0.1
CPE:
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.2.1.3.0
CPE:
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.2.1.4.0
CPE:
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.2.1.3.0
CPE:
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 12.2.1.4.0
CPE:
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
42 products•scroll for more
Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector:
NETWORK
Complexity:
HIGH
Privileges:
LOW
User Interaction:
NONE
Confidentiality:
HIGH
Integrity:
HIGH
Availability:
HIGH
Scope:
UNCHANGED
🔍 Technical Details
Analysis Status
ModifiedCVSS Details
7.5 (HIGH)v3.1
Source: [email protected]
EPSS Details
90.8% (Critical)99.6th percentile
Last updated: Nov 1, 2025
Exploitation probability within 30 days
Published Date
May 28, 2021 (4 years ago)
Last Modified
May 30, 2025 (5 months ago)
Security Weaknesses3
CWE-94CWE-502
Available exploits (2)
References21
NVDpatchpatch+18