All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Description

The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request.

Steps to Reproduce

Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream:

<java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - xstream-distribution/src/content/CVE-2021-21349.html [20:42]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - from an arbitrary URL referencing a resource in an intranet or the local host.

Affected Versions

Description

Steps to Reproduce

Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream:

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -