{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"CRITICAL"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.",
				"category":"general",
				"title":"Synopsis"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21347"
			},
			{
				"summary":"CVE-2021-21347 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/cve/2021/csaf-openEuler-CVE-2021-21347.json"
			},
			{
				"summary":"openEuler-SA-2021-1185",
				"category":"self",
				"url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1185"
			},
			{
				"summary":"CVE-2021-21347",
				"category":"self",
				"url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-21347&packageName=xstream"
			}
		],
		"title":"openEuler cve CVE-2021-21347",
		"tracking":{
			"initial_release_date":"2021-05-15T09:19:59+08:00",
			"revision_history":[
				{
					"date":"2021-05-15T09:19:59+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				},
				{
					"date":"2024-10-31T09:19:59+08:00",
					"summary":"Current version",
					"number":"2.0.0"
				}
			],
			"generator":{
				"date":"2024-10-31T09:19:59+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2024-10-31T09:19:59+08:00",
			"id":"CVE-2021-21347",
			"version":"2.0.0",
			"status":"interim"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1"
									},
									"product_id":"openEuler-20.03-LTS-SP1",
									"name":"openEuler-20.03-LTS-SP1"
								},
								"name":"openEuler-20.03-LTS-SP1",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1"
									},
									"product_id":"xstream-javadoc-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
									"name":"xstream-javadoc-1.4.16-1.oe1.noarch.rpm"
								},
								"name":"xstream-javadoc-1.4.16-1.oe1.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1"
									},
									"product_id":"xstream-hibernate-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
									"name":"xstream-hibernate-1.4.16-1.oe1.noarch.rpm"
								},
								"name":"xstream-hibernate-1.4.16-1.oe1.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1"
									},
									"product_id":"xstream-benchmark-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
									"name":"xstream-benchmark-1.4.16-1.oe1.noarch.rpm"
								},
								"name":"xstream-benchmark-1.4.16-1.oe1.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1"
									},
									"product_id":"xstream-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
									"name":"xstream-1.4.16-1.oe1.noarch.rpm"
								},
								"name":"xstream-1.4.16-1.oe1.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1"
									},
									"product_id":"xstream-parent-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
									"name":"xstream-parent-1.4.16-1.oe1.noarch.rpm"
								},
								"name":"xstream-parent-1.4.16-1.oe1.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1"
									},
									"product_id":"xstream-1.4.16-1.oe1.src.rpm(20.03-LTS-SP1)",
									"name":"xstream-1.4.16-1.oe1.src.rpm"
								},
								"name":"xstream-1.4.16-1.oe1.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP1",
				"product_reference":"xstream-javadoc-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP1:xstream-javadoc-1.4.16-1.oe1.noarch",
					"name":"xstream-javadoc-1.4.16-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP1",
				"product_reference":"xstream-hibernate-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP1:xstream-hibernate-1.4.16-1.oe1.noarch",
					"name":"xstream-hibernate-1.4.16-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP1",
				"product_reference":"xstream-benchmark-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP1:xstream-benchmark-1.4.16-1.oe1.noarch",
					"name":"xstream-benchmark-1.4.16-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP1",
				"product_reference":"xstream-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.noarch",
					"name":"xstream-1.4.16-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP1",
				"product_reference":"xstream-parent-1.4.16-1.oe1.noarch.rpm(20.03-LTS-SP1)",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP1:xstream-parent-1.4.16-1.oe1.noarch",
					"name":"xstream-parent-1.4.16-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP1",
				"product_reference":"xstream-1.4.16-1.oe1.src.rpm(20.03-LTS-SP1)",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.src",
					"name":"xstream-1.4.16-1.oe1.src as a component of openEuler-20.03-LTS-SP1"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2021-21347",
			"notes":[
				{
					"text":"XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"CRITICAL",
						"baseScore":9.8,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
						"version":"3.1"
					},
					"products":[
						"openEuler-20.03-LTS-SP1:xstream-javadoc-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-hibernate-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-benchmark-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-parent-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.src"
					]
				}
			],
			"remediations":[
				{
					"product_ids":[
						"openEuler-20.03-LTS-SP1:xstream-javadoc-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-hibernate-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-benchmark-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-parent-1.4.16-1.oe1.noarch",
						"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.src"
					],
					"details":"xstream security update",
					"category":"vendor_fix",
					"url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1185"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-20.03-LTS-SP1:xstream-javadoc-1.4.16-1.oe1.noarch",
					"openEuler-20.03-LTS-SP1:xstream-hibernate-1.4.16-1.oe1.noarch",
					"openEuler-20.03-LTS-SP1:xstream-benchmark-1.4.16-1.oe1.noarch",
					"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.noarch",
					"openEuler-20.03-LTS-SP1:xstream-parent-1.4.16-1.oe1.noarch",
					"openEuler-20.03-LTS-SP1:xstream-1.4.16-1.oe1.src"
				]
			},
			"threats":[
				{
					"details":"Critical",
					"category":"impact"
				}
			],
			"title":"CVE-2021-21347"
		}
	]
}