Resource exhaustion in X-stream Xstream
CVE-2021-43859
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a pa…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.019 (83.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- X-stream Xstream — versions < 1.4.19
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf (x_refsource_CONFIRM)
- github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846 (x_refsource_MISC)
- x-stream.github.io/CVE-2021-43859.html (x_refsource_MISC)
- [oss-security] 20220209 Vulnerability in Jenkins (mailing-list, x_refsource_MLIST)
- FEDORA-2022-ad5cf1c0dd (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2022-983a78275c (vendor-advisory, x_refsource_FEDORA)
- [debian-lts-announce] 20220215 [SECURITY] [DLA 2924-1] libxstream-java security update (mailing-list, x_refsource_MLIST)
- www.oracle.com/security-alerts/cpuapr2022.html (x_refsource_MISC)
- www.oracle.com/security-alerts/cpujul2022.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2021-43859?
- CVE-2021-43859 is a high-severity vulnerability in X-stream Xstream, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2022-02-01.
- How severe is CVE-2021-43859?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2021-43859 known to be exploited?
- 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.