{"id":"CVE-2021-43859","details":"XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.","aliases":["BIT-jenkins-2021-43859","GHSA-rmr5-cpv2-vgjf"],"modified":"2026-04-11T23:37:19.670539Z","published":"2022-02-01T12:15:08.080Z","related":["GHSA-rmr5-cpv2-vgjf","SUSE-SU-2022:0817-1","openSUSE-SU-2022:0817-1","openSUSE-SU-2024:11809-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/02/09/1"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html"},{"type":"FIX","url":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/"},{"type":"EVIDENCE","url":"https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf"},{"type":"EVIDENCE","url":"https://x-stream.github.io/CVE-2021-43859.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"0"},{"fixed":"8a29e8858b49da45c0071f690d4ceebe8db2f18f"},{"introduced":"9cf70b057886fb8191e434f23cd568d8c6f25c45"},{"fixed":"66d8747a57e13e1dc0f55ff01ce9273de254343c"},{"introduced":"0"},{"last_affected":"4acae8cfc7f56738e663b5744e098a96cf8bbda8"},{"introduced":"0"},{"last_affected":"5c83c64e7af95bc5f216d841e4257c79403931d8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.319.3"},{"introduced":"2.321"},{"fixed":"2.334"},{"introduced":"0"},{"last_affected":"34"},{"introduced":"0"},{"last_affected":"35"}]}},{"type":"GIT","repo":"https://github.com/x-stream/xstream","events":[{"introduced":"0"},{"fixed":"61a00fa225dc99488013869b57b772af8e2fea03"},{"fixed":"e8e88621ba1c85ac3b8620337dd672e0c0c3a846"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.19"}]}}],"versions":["1.324-rc","1.325-rc","1.327-rc","1.328-rc","XSTREAM_1_4_10","XSTREAM_1_4_11","XSTREAM_1_4_11_1","XSTREAM_1_4_12","XSTREAM_1_4_13","XSTREAM_1_4_14","XSTREAM_1_4_15","XSTREAM_1_4_16","XSTREAM_1_4_17","XSTREAM_1_4_18","XSTREAM_1_4_5","XSTREAM_1_4_9","builds/101","builds/102","builds/103","builds/104","builds/105","builds/106","builds/107","builds/108","builds/109","builds/110","builds/112","builds/113","builds/114","builds/115","builds/116","builds/117","builds/118","builds/119","builds/120","builds/121","builds/122","builds/123","builds/124","builds/125","builds/126","builds/127","builds/128","builds/130","builds/131","builds/132","builds/133","builds/134","builds/135","builds/136","builds/137","builds/138","builds/139","builds/140","builds/141","builds/142","builds/143","builds/144","builds/145","builds/146","builds/147","builds/148","builds/149","builds/150","builds/151","builds/152","builds/153","builds/154","builds/155","builds/156","builds/157","builds/158","builds/16","builds/160","builds/161","builds/162","builds/163","builds/164","builds/165","builds/166","builds/168","builds/169","builds/17","builds/170","builds/171","builds/172","builds/173","builds/174","builds/176","builds/177","builds/179","builds/18","builds/180","builds/181","builds/182","builds/183","builds/184","builds/185","builds/186","builds/187","builds/188","builds/189","builds/190","builds/191","builds/192","builds/193","builds/194","builds/195","builds/196","builds/197","builds/198","builds/199","builds/2","builds/200","builds/201","builds/202","builds/203","builds/204","builds/205","builds/206","builds/207","builds/209","builds/21","builds/210","builds/211","builds/212","builds/213","builds/214","builds/215","builds/216","builds/217","builds/218","builds/219","builds/22","builds/220","builds/221","builds/222","builds/223","builds/224","builds/225","builds/227","builds/228","builds/229","builds/23","builds/230","builds/231","builds/232","builds/233","builds/234","builds/235","builds/236","builds/237","builds/238","builds/239","builds/24","builds/240","builds/241","builds/242","builds/243","builds/244","builds/245","builds/247","builds/248","builds/249","builds/250","builds/251","builds/254","builds/255","builds/256","builds/257","builds/258","builds/259","builds/26","builds/260","builds/262","builds/264","builds/265","builds/266","builds/267","builds/268","builds/269","builds/27","builds/270","builds/271","builds/272","builds/273","builds/274","builds/275","builds/276","builds/277","builds/278","builds/279","builds/28","builds/280","builds/281","builds/282","builds/284","builds/285","builds/286","builds/287","builds/288","builds/29","builds/290","builds/291","builds/293","builds/294","builds/295","builds/296","builds/297","builds/298","builds/299","builds/30","builds/300","builds/301","builds/302","builds/303","builds/304","builds/305","builds/306","builds/31","builds/32","builds/33","builds/338","builds/339","builds/34","builds/340","builds/341","builds/342","builds/343","builds/344","builds/345","builds/346","builds/348","builds/35","builds/350","builds/352","builds/353","builds/355","builds/356","builds/357","builds/358","builds/359","builds/36","builds/361","builds/363","builds/37","builds/370","builds/371","builds/372","builds/39","builds/40","builds/41","builds/42","builds/43","builds/44","builds/46","builds/47","builds/48","builds/49","builds/50","builds/51","builds/52","builds/53","builds/54","builds/55","builds/56","builds/77","builds/81","builds/82","builds/83","builds/85","builds/86","builds/89","builds/90","builds/92","builds/93","builds/94","changes/101","changes/102","changes/103","changes/104","changes/105","changes/106","changes/107","changes/108","changes/109","changes/110","changes/113","changes/114","changes/115","changes/116","changes/117","changes/118","changes/119","changes/120","changes/121","changes/122","changes/123","changes/124","changes/125","changes/126","changes/127","changes/128","changes/130","changes/131","changes/132","changes/133","changes/134","changes/135","changes/136","changes/137","changes/138","changes/139","changes/140","changes/141","changes/142","changes/143","changes/144","changes/145","changes/146","changes/147","changes/148","changes/149","changes/150","changes/151","changes/152","changes/153","changes/154","changes/155","changes/156","changes/157","changes/158","changes/16","changes/161","changes/162","changes/163","changes/164","changes/165","changes/166","changes/169","changes/17","changes/170","changes/171","changes/172","changes/173","changes/174","changes/176","changes/177","changes/179","changes/18","changes/180","changes/181","changes/182","changes/183","changes/184","changes/185","changes/186","changes/187","changes/188","changes/189","changes/190","changes/191","changes/192","changes/193","changes/194","changes/195","changes/196","changes/197","changes/198","changes/199","changes/2","changes/20","changes/200","changes/201","changes/202","changes/203","changes/204","changes/205","changes/206","changes/207","changes/209","changes/21","changes/210","changes/211","changes/212","changes/213","changes/214","changes/215","changes/216","changes/217","changes/218","changes/22","changes/220","changes/221","changes/222","changes/223","changes/224","changes/225","changes/228","changes/229","changes/23","changes/230","changes/231","changes/232","changes/233","changes/234","changes/235","changes/236","changes/237","changes/238","changes/239","changes/24","changes/240","changes/241","changes/242","changes/243","changes/244","changes/245","changes/248","changes/249","changes/250","changes/251","changes/255","changes/256","changes/257","changes/258","changes/259","changes/262","changes/265","changes/266","changes/267","changes/268","changes/269","changes/27","changes/270","changes/271","changes/272","changes/273","changes/274","changes/275","changes/276","changes/277","changes/278","changes/279","changes/28","changes/280","changes/281","changes/282","changes/284","changes/286","changes/287","changes/288","changes/29","changes/290","changes/291","changes/293","changes/294","changes/295","changes/296","changes/297","changes/298","changes/299","changes/30","changes/300","changes/301","changes/302","changes/303","changes/304","changes/305","changes/306","changes/31","changes/32","changes/338","changes/339","changes/34","changes/340","changes/342","changes/343","changes/344","changes/345","changes/346","changes/348","changes/35","changes/350","changes/352","changes/353","changes/356","changes/357","changes/358","changes/36","changes/361","changes/363","changes/37","changes/370","changes/371","changes/372","changes/39","changes/40","changes/41","changes/42","changes/43","changes/44","changes/46","changes/47","changes/48","changes/49","changes/50","changes/51","changes/52","changes/53","changes/54","changes/55","changes/56","changes/76","changes/77","changes/79","changes/81","changes/82","changes/83","changes/85","changes/86","changes/89","changes/90","changes/92","changes/93","changes/94","jenkins-1.604","jenkins-1.605","jenkins-1.606","jenkins-1.607","jenkins-1.608","jenkins-1.609","jenkins-1.610","jenkins-1.614","jenkins-1.615","jenkins-1.616","jenkins-1.617","jenkins-1.618","jenkins-1.619","jenkins-1.620","jenkins-1.621","jenkins-1.622","jenkins-1.623","jenkins-1.624","jenkins-1.625","jenkins-1.626","jenkins-1.627","jenkins-1.628","jenkins-1.638","jenkins-1.639","jenkins-1.640","jenkins-1.641","jenkins-1.642","jenkins-1.643","jenkins-1.644","jenkins-1.645","jenkins-1.646","jenkins-1.647","jenkins-1.648","jenkins-1.649","jenkins-1.650","jenkins-1.651","jenkins-1.652","jenkins-1.653","jenkins-1.654","jenkins-1.655","jenkins-1.656","jenkins-2.10","jenkins-2.100","jenkins-2.101","jenkins-2.102","jenkins-2.103","jenkins-2.104","jenkins-2.105","jenkins-2.106","jenkins-2.108","jenkins-2.109","jenkins-2.11","jenkins-2.116","jenkins-2.117","jenkins-2.118","jenkins-2.12","jenkins-2.121","jenkins-2.122","jenkins-2.124","jenkins-2.125","jenkins-2.126","jenkins-2.127","jenkins-2.128","jenkins-2.129","jenkins-2.13","jenkins-2.130","jenkins-2.131","jenkins-2.132","jenkins-2.134","jenkins-2.135","jenkins-2.138","jenkins-2.14","jenkins-2.140","jenkins-2.141","jenkins-2.142","jenkins-2.143","jenkins-2.146","jenkins-2.147","jenkins-2.148","jenkins-2.149","jenkins-2.15","jenkins-2.150","jenkins-2.151","jenkins-2.154","jenkins-2.155","jenkins-2.156","jenkins-2.16","jenkins-2.160","jenkins-2.161","jenkins-2.162","jenkins-2.163","jenkins-2.164","jenkins-2.165","jenkins-2.17","jenkins-2.172","jenkins-2.173","jenkins-2.174","jenkins-2.18","jenkins-2.186","jenkins-2.19","jenkins-2.192","jenkins-2.197","jenkins-2.198","jenkins-2.199","jenkins-2.20","jenkins-2.200","jenkins-2.201","jenkins-2.202","jenkins-2.203","jenkins-2.204","jenkins-2.205","jenkins-2.21","jenkins-2.219","jenkins-2.22","jenkins-2.228","jenkins-2.229","jenkins-2.23","jenkins-2.230","jenkins-2.231","jenkins-2.232","jenkins-2.233","jenkins-2.234","jenkins-2.235","jenkins-2.236","jenkins-2.24","jenkins-2.245","jenkins-2.246","jenkins-2.247","jenkins-2.248","jenkins-2.249","jenkins-2.25","jenkins-2.250","jenkins-2.251","jenkins-2.253","jenkins-2.254","jenkins-2.255","jenkins-2.256","jenkins-2.257","jenkins-2.258","jenkins-2.259","jenkins-2.26","jenkins-2.260","jenkins-2.261","jenkins-2.262","jenkins-2.263","jenkins-2.264","jenkins-2.265","jenkins-2.266","jenkins-2.267","jenkins-2.268","jenkins-2.269","jenkins-2.27","jenkins-2.270","jenkins-2.271","jenkins-2.272","jenkins-2.273","jenkins-2.274","jenkins-2.276","jenkins-2.277","jenkins-2.278","jenkins-2.279","jenkins-2.28","jenkins-2.280","jenkins-2.281","jenkins-2.282","jenkins-2.283","jenkins-2.284","jenkins-2.285","jenkins-2.286","jenkins-2.287","jenkins-2.288","jenkins-2.289","jenkins-2.29","jenkins-2.290","jenkins-2.291","jenkins-2.292","jenkins-2.293","jenkins-2.294","jenkins-2.295","jenkins-2.296","jenkins-2.297","jenkins-2.298","jenkins-2.299","jenkins-2.3","jenkins-2.30","jenkins-2.301","jenkins-2.302","jenkins-2.303","jenkins-2.304","jenkins-2.305","jenkins-2.306","jenkins-2.307","jenkins-2.308","jenkins-2.309","jenkins-2.31","jenkins-2.310","jenkins-2.311","jenkins-2.312","jenkins-2.313","jenkins-2.314","jenkins-2.316","jenkins-2.317","jenkins-2.318","jenkins-2.319","jenkins-2.319.1","jenkins-2.319.1-rc","jenkins-2.319.2","jenkins-2.319.2-rc","jenkins-2.32","jenkins-2.321","jenkins-2.322","jenkins-2.323","jenkins-2.324","jenkins-2.325","jenkins-2.326","jenkins-2.327","jenkins-2.328","jenkins-2.329","jenkins-2.33","jenkins-2.330","jenkins-2.331","jenkins-2.332","jenkins-2.333","jenkins-2.34","jenkins-2.35","jenkins-2.36","jenkins-2.37","jenkins-2.4","jenkins-2.44","jenkins-2.45","jenkins-2.46","jenkins-2.47","jenkins-2.48","jenkins-2.49","jenkins-2.5","jenkins-2.50","jenkins-2.51","jenkins-2.52","jenkins-2.53","jenkins-2.57","jenkins-2.58","jenkins-2.59","jenkins-2.6","jenkins-2.60","jenkins-2.61","jenkins-2.62","jenkins-2.63","jenkins-2.64","jenkins-2.65","jenkins-2.66","jenkins-2.67","jenkins-2.68","jenkins-2.7","jenkins-2.8","jenkins-2.9","jenkins-2.95","jenkins-2.96","jenkins-2.97","jenkins-2.98","jenkins-2.99"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.9.0"}]},{"events":[{"introduced":"8.0.0"},{"last_affected":"8.1.0"}]},{"events":[{"introduced":"8.2.0"},{"last_affected":"8.2.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.6.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43859.json","vanir_signatures_modified":"2026-04-11T23:37:19Z","vanir_signatures":[{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"testInstanceOfVoid","file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"signature_type":"Function","digest":{"function_hash":"55566688760790417229342517075763677048","length":181},"id":"CVE-2021-43859-29d87ff6","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"addCurrentElementToCollection","file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java"},"signature_type":"Function","digest":{"function_hash":"261717738691877522929827956336707666449","length":158},"id":"CVE-2021-43859-3b92b93a","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"convert","file":"xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java"},"signature_type":"Function","digest":{"function_hash":"17231138287832600381894592100287068069","length":381},"id":"CVE-2021-43859-42b4ae14","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"testCannotInjectEventHandler","file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"signature_type":"Function","digest":{"function_hash":"220166040034801707177840403453687177859","length":650},"id":"CVE-2021-43859-43f10a94","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["37669725065981372541361920149060037669","1754229239276929498699274070455340911","41982352291054190134426946505239413600","339132426552016436555085584248404447229","281190335896921026067654418042948691705","101836451350065470669588115209640466933","170069226330896549956587004495602417294","175405664480641811482846628989242555461","308344043568311556500843217578373648934","214661633136529325303486917787961611567","57524199966063753519088560374134026781","63361542330210864932936498280080202040","121377978789604838791055385342124703054","120564178264636159261842547107268022221","280309282135332622366291820899588071183","116140396242623306064878654562145661014","228659153108235947882753463685898110017","253465008515736530894371217708547114895","47604041726619113582236911670478212984","157827691179106628380218623395528602742","299357159731611816879190520786090623494","263325449489108397308033639618897227089","195855868307017984720518213082419999218","157827691179106628380218623395528602742","56570557617033010041633030400660432580","266269599569454697175169268514228635384"]},"id":"CVE-2021-43859-48fd1814","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"unmarshal","file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"signature_type":"Function","digest":{"function_hash":"158675721028694727290893110113569592667","length":372},"id":"CVE-2021-43859-59287a06","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"putCurrentEntryIntoMap","file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java"},"signature_type":"Function","digest":{"function_hash":"86104287393050438777889317149321611565","length":219},"id":"CVE-2021-43859-827b0ed4","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["47133092775335648767215388072869838081","72897891070941714057763968897150290546","204876188397446628625129180757218716667","183977537466193036774603040383124982900","108738211081595398246856293798472960621","17550906770456504535387592149065180578","160816637933070719777862874531377453485","131320530687662887544912643709547885866","79469178477997099640743731152801113345"]},"id":"CVE-2021-43859-840ebf27","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["7616263090923437985525346265549616761","211219839203299185987365307554810409985","73721228261296255058296875540290052237","239913871774152437040395752063489313149","117725265296903224689269951407431455617","126617756455122379474158532832345634375","158235987049869476657084451570586380240","314118849962306354916524331560040293068","96433297052028480260787407611872064849","325820611125133184921877174183212096326","275047211673991781190008335997426805456","251899931567808305004438430281872370011","177754559542579598598790658770667215612","118738670761640002657491233549629791713","71362147945938633015783245649742152827","239637841955745921799253626664476578801","136908090792826903881571180858786345652","226208401357142230571642567540990195204","5923312382624037816122342231039016977","256450194889914305419909032943252724007","209578339882724276781126381994571211439","207821519896740168085970131722419024131","89998112668629298309028616244523277223","257848222184230265269703082711942417201","231035764628361720499571828605484840546","48705185870131617258729178622391399075","334353687146338771572110171878246600462","164655022164759611606439376066928116229","38013853609415735731977596616628687320"]},"id":"CVE-2021-43859-9f4d057d","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"populateMap","file":"xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java"},"signature_type":"Function","digest":{"function_hash":"228474360994162782889542199712320720945","length":1357},"id":"CVE-2021-43859-ad6928e4","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["67983786004786075010774811532640513342","155251688185425872193164153142665759940","180982352636348001737525535511897856621","291635795756997543440780842469637458131","100411840036841395080916223528854409368","45659907922294160967612934064248224018","31472221394269137905746344083408247215","88563598898606841684968123180300453216"]},"id":"CVE-2021-43859-ad72fdf2","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["185869447222012862197413743734267332963","274937438635320053675547534042926965660","212113714018905300703044115447665097447","315082099377130877878551267537102060517","322595832639141750214961352993266288428","288516566081390833032506510066468270740","6674929763605018183272915908570643204","256753108423566523410138376942892651005"]},"id":"CVE-2021-43859-b91b8836","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"file":"xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["136451740817690776813850310762997082518","105753953192027108849418635246114421000","118882738501084926826075990972404281301","212020063483191151362987575288808695462","287333414921625036090543832290154043373","9891789946521726045761755493407333519","5559154755073053156556721280319387054","238112864466872781268528486106920449733"]},"id":"CVE-2021-43859-ccb9a04c","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"readFromStream","file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"signature_type":"Function","digest":{"function_hash":"11964886622017048364241710368819996484","length":219},"id":"CVE-2021-43859-cf16e600","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"createObjectInputStream","file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"signature_type":"Function","digest":{"function_hash":"12709619694192487888878944821281014679","length":873},"id":"CVE-2021-43859-df4b16d4","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"function":"testCannotUseJaxwsInputStreamToDeleteFile","file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"signature_type":"Function","digest":{"function_hash":"253499341416318301251134402216259344937","length":401},"id":"CVE-2021-43859-e2dd41b1","deprecated":false},{"source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_version":"v1","target":{"file":"xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["302436115647464791492807424592955265526","20337160572719266553945974133231939115","100606639916437884206076948162615070323"]},"id":"CVE-2021-43859-f898dd1d","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}