一、 漏洞 CVE-2021-29505 基础信息
漏洞信息
# XStream易受远程命令执行攻击
## 概述
XStream 是一款用于将 Java 对象序列化为 XML 并逆向转换的软件。在 XStream 1.4.17 之前的版本中存在一个漏洞,允许远程攻击者通过操纵处理的输入流来执行主机上的命令。
## 影响版本
- XStream 1.4.17 之前的版本
## 细节
该漏洞允许可访问输入流的远程攻击者执行主机上的命令。但遵循建议配置 XStream 安全框架并限定白名单仅包含最小必需类型的用户不受影响。
## 影响
- 允许远程命令执行
- 受影响版本已在 1.4.17 中修复
提示
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
二、漏洞 CVE-2021-29505 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | 对CVE-2021-29505进行复现,并分析学了下Xstream反序列化过程 | https://github.com/MyBlackManba/CVE-2021-29505 | POC详情 |
| 2 | XStream before 1.4.17 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-29505.yaml | POC详情 |
| 3 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/XStream%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2021-29505.md | POC详情 |
| 4 | https://github.com/vulhub/vulhub/blob/master/xstream/CVE-2021-29505/README.md | POC详情 |
三、漏洞 CVE-2021-29505 的情报信息
- https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f x_refsource_MISC
- https://www.oracle.com/security-alerts/cpujul2022.html x_refsource_MISC
- https://www.oracle.com/security-alerts/cpuapr2022.html x_refsource_MISC
- https://www.oracle.com/security-alerts/cpujan2022.html x_refsource_MISC
- https://security.netapp.com/advisory/ntap-20210708-0007/ x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpuoct2021.html x_refsource_MISC
- https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc x_refsource_CONFIRM
- https://www.debian.org/security/2021/dsa-5004 vendor-advisory x_refsource_DEBIAN
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ vendor-advisory x_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ vendor-advisory x_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ vendor-advisory x_refsource_FEDORA
-
-
-
标题: Add description of CVE-2021-29505 and bug fix. · x-stream/xstream@f0c4a8d · GitHub -- 🔗来源链接
标签: x_refsource_MISC
神龙速读
- https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html mailing-list x_refsource_MLIST
- https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E mailing-list x_refsource_MLIST
-
标题: [GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16)-Apache Mail Archives -- 🔗来源链接
标签: x_refsource_MISC
神龙速读![[GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16)-Apache Mail Archives](https://cvepdf.imfht.com:2443//ti_screenshot/2025-05-30/screenshot-full-2025-05-30T16-33-19.539Z-4ab66bd53c2bee50589e.webp)
-
标题: [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora mailing-lists -- 🔗来源链接
标签: x_refsource_MISC
![[SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora mailing-lists](https://cvepdf.imfht.com:2443//ti_screenshot/2025-01-25/screenshot-viewport-2025-01-25T20-46-54.800Z-57c111b319849b2ab840.webp)
-
标题: [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora mailing-lists -- 🔗来源链接
标签: x_refsource_MISC
![[SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora mailing-lists](https://cvepdf.imfht.com:2443//ti_screenshot/2025-01-25/screenshot-viewport-2025-01-25T20-46-47.045Z-e331cb3600984b284a64.webp)
-
标题: [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora mailing-lists -- 🔗来源链接
标签: x_refsource_MISC
![[SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora mailing-lists](https://cvepdf.imfht.com:2443//ti_screenshot/2025-01-25/screenshot-viewport-2025-01-25T20-46-45.213Z-61912651e032ef0d8f53.webp)
- https://nvd.nist.gov/vuln/detail/CVE-2021-29505