The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1729 advisory.

    A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw     allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the     processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as     well as system availability. (CVE-2021-39139)

    XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

    A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw     allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the     processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as     well as system availability. (CVE-2021-39141) (CVE-2021-39144) (CVE-2021-39145) (CVE-2021-39146)     (CVE-2021-39147) (CVE-2021-39148) (CVE-2021-39149) (CVE-2021-39151) (CVE-2021-39153) (CVE-2021-39154)

    A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw     allows a remote attacker to request data from internal resources that are not publicly available by     manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this     vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-39150)     (CVE-2021-39152)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : xstream (ALAS-2021-1729)

high Nessus Plugin ID 155989

Version 1.7

Version 1.6

Version 1.5

Version 1.4

Version 1.3

Version 1.7 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.6 Mar 10, 2023, 11:54 PM CISA reference CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") Plugin Feed: 202303102354
Version 1.5 Jan 23, 2023, 4:10 PM Exploit attributes ("Exploit framework core" set to "True") Plugin Feed: 202301231610
Version 1.4 Dec 6, 2022, 2:54 AM Reference Plugin Feed: 202212060254
Version 1.3 Nov 16, 2022, 9:51 PM CVSS temporal metrics Exploit attributes Plugin Feed: 202211162151