How severe is CVE-2021-21342?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2021-21342?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2021-21342

CRITICAL Year: 2021

CVSS v3 Score

9.1

Critical

CVSS v2 Score

5.8

Medium

Weakness Type

CWE-502

View all →

Vulnerability Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVE-2016-3415

CRITICAL

CVSS:9.1(Critical)

Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.

CWE-5022016

CVE-2016-6793

CRITICAL

CVSS:9.1(Critical)

The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the per...

CWE-5022016

CVE-2020-11467

CRITICAL

CVSS:9.1(Critical)

An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, a...

CWE-5022020

CVE-2020-6219

CRITICAL

CVSS:9.1(Critical)

SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform ...

CWE-5022020

CVE-2021-29508

CRITICAL

CVSS:9.1(Critical)

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information abo...

CWE-5022021

CVE-2021-32742

CRITICAL

CVSS:9.1(Critical)

Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial o...

CWE-5022021

CVE-2021-21342

Vulnerability Description

Related Vulnerabilities

CVE-2016-3415

CVE-2016-6793

CVE-2020-11467

CVE-2020-6219

CVE-2021-29508

CVE-2021-32742