{"id":"CVE-2021-43859","details":"XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.","aliases":["BIT-jenkins-2021-43859","GHSA-rmr5-cpv2-vgjf"],"modified":"2026-04-02T07:36:59.087686Z","published":"2022-02-01T12:15:08.080Z","related":["GHSA-rmr5-cpv2-vgjf","SUSE-SU-2022:0817-1","openSUSE-SU-2022:0817-1","openSUSE-SU-2024:11809-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/02/09/1"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html"},{"type":"FIX","url":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/"},{"type":"EVIDENCE","url":"https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf"},{"type":"EVIDENCE","url":"https://x-stream.github.io/CVE-2021-43859.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"0"},{"fixed":"8a29e8858b49da45c0071f690d4ceebe8db2f18f"},{"introduced":"9cf70b057886fb8191e434f23cd568d8c6f25c45"},{"fixed":"66d8747a57e13e1dc0f55ff01ce9273de254343c"},{"introduced":"0"},{"last_affected":"4acae8cfc7f56738e663b5744e098a96cf8bbda8"},{"introduced":"0"},{"last_affected":"5c83c64e7af95bc5f216d841e4257c79403931d8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.319.3"},{"introduced":"2.321"},{"fixed":"2.334"},{"introduced":"0"},{"last_affected":"34"},{"introduced":"0"},{"last_affected":"35"}]}},{"type":"GIT","repo":"https://github.com/x-stream/xstream","events":[{"introduced":"0"},{"fixed":"61a00fa225dc99488013869b57b772af8e2fea03"},{"fixed":"e8e88621ba1c85ac3b8620337dd672e0c0c3a846"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.19"}]}}],"versions":["1.312","1.313","1.314","1.315","1.316","1.317","1.318","1.319","1.320","1.321","1.322","1.324-rc","1.325-rc","1.326","1.327-rc","1.328-rc","1.329","1.330","1.331","1.332","1.333","1.334","1.335","1.336","1.337","1.338","1.339","1.340","1.341","1.343","1.344","1.345","1.346","1.347","1.348","1.349","1.350","1.351","1.352","1.353","1.354","1.356","1.357","1.358","1.359","1.360","1.361","1.362","1.363","1.364","1.365","1.366","1.367","1.368","1.370","1.372","1.373","1.374","1.376","1.377","1.378","1.380","1.381","1.382","1.383","1.384","1.385","1.480.3-rc2","1.480.3-rc3","1.480.3-rc4","1.502-rc1","2.332.1-rc-2","XSTREAM_0_2","XSTREAM_0_3","XSTREAM_0_4","XSTREAM_0_5","XSTREAM_0_6","XSTREAM_0_6_RC1","XSTREAM_1_0_1","XSTREAM_1_0_2","XSTREAM_1_0_RC1","XSTREAM_1_1","XSTREAM_1_1_1","XSTREAM_1_1_2","XSTREAM_1_1_3","XSTREAM_1_2","XSTREAM_1_2_1","XSTREAM_1_2_2","XSTREAM_1_3","XSTREAM_1_3_1","XSTREAM_1_4","XSTREAM_1_4_1","XSTREAM_1_4_10","XSTREAM_1_4_11","XSTREAM_1_4_11_1","XSTREAM_1_4_12","XSTREAM_1_4_13","XSTREAM_1_4_14","XSTREAM_1_4_15","XSTREAM_1_4_16","XSTREAM_1_4_17","XSTREAM_1_4_18","XSTREAM_1_4_2","XSTREAM_1_4_3","XSTREAM_1_4_4","XSTREAM_1_4_5","XSTREAM_1_4_6","XSTREAM_1_4_7","XSTREAM_1_4_8","XSTREAM_1_4_9","builds/10","builds/11","builds/12","builds/13","builds/14","builds/15","builds/16","builds/17","builds/18","builds/19","builds/2","builds/21","builds/22","builds/23","builds/24","builds/26","builds/27","builds/28","builds/29","builds/3","builds/30","builds/31","builds/32","builds/33","builds/34","builds/4","builds/5","builds/6","builds/7","builds/9","changes/10","changes/11","changes/12","changes/13","changes/14","changes/15","changes/16","changes/17","changes/18","changes/19","changes/2","changes/20","changes/21","changes/22","changes/23","changes/24","changes/25","changes/26","changes/27","changes/28","changes/29","changes/3","changes/30","changes/31","changes/32","changes/33","changes/34","changes/4","changes/5","changes/6","changes/7","changes/8","changes/9","hudson-1_387","hudson-1_388","hudson-1_389","hudson-1_390","hudson-1_391","hudson-1_392","hudson-1_393","hudson-1_394","hudson-1_395","jenkin-1.532.1-rc1","jenkin-1.532.3-RC1","jenkins-1.409.1","jenkins-1.409.1-rc1","jenkins-1.409.2","jenkins-1.409.2-rc","jenkins-1.409.3","jenkins-1.416","jenkins-1.417","jenkins-1.418","jenkins-1.419","jenkins-1.420","jenkins-1.421","jenkins-1.422","jenkins-1.423","jenkins-1.424","jenkins-1.424-rc2","jenkins-1.424.1","jenkins-1.424.1-rc1","jenkins-1.424.1-rc2","jenkins-1.424.1-rc3","jenkins-1.424.2","jenkins-1.424.2-rc1","jenkins-1.424.2-rc2","jenkins-1.424.2-rc3","jenkins-1.424.3","jenkins-1.424.3-rc2","jenkins-1.424.4","jenkins-1.424.5","jenkins-1.424.6","jenkins-1.425","jenkins-1.426","jenkins-1.427","jenkins-1.428","jenkins-1.429","jenkins-1.430","jenkins-1.431","jenkins-1.432","jenkins-1.433","jenkins-1.434","jenkins-1.435","jenkins-1.436","jenkins-1.437","jenkins-1.438","jenkins-1.439","jenkins-1.440","jenkins-1.441","jenkins-1.442","jenkins-1.443","jenkins-1.444","jenkins-1.445","jenkins-1.446","jenkins-1.447","jenkins-1.447.1","jenkins-1.447.1-rc1","jenkins-1.447.2","jenkins-1.448","jenkins-1.449","jenkins-1.450","jenkins-1.451","jenkins-1.452","jenkins-1.453","jenkins-1.454","jenkins-1.455","jenkins-1.456","jenkins-1.457","jenkins-1.458","jenkins-1.459","jenkins-1.460","jenkins-1.461","jenkins-1.462","jenkins-1.463","jenkins-1.464","jenkins-1.465","jenkins-1.466","jenkins-1.466.1","jenkins-1.466.1-rc1","jenkins-1.466.2","jenkins-1.467","jenkins-1.468","jenkins-1.469","jenkins-1.470","jenkins-1.471","jenkins-1.472","jenkins-1.473","jenkins-1.474","jenkins-1.475","jenkins-1.477","jenkins-1.478","jenkins-1.479","jenkins-1.480","jenkins-1.480.1","jenkins-1.480.1-RC1","jenkins-1.480.2","jenkins-1.480.3","jenkins-1.481","jenkins-1.482","jenkins-1.483","jenkins-1.484","jenkins-1.485","jenkins-1.486","jenkins-1.487","jenkins-1.488","jenkins-1.489","jenkins-1.490","jenkins-1.491","jenkins-1.492","jenkins-1.493","jenkins-1.494","jenkins-1.495","jenkins-1.496","jenkins-1.497","jenkins-1.498","jenkins-1.499","jenkins-1.500","jenkins-1.501","jenkins-1.502","jenkins-1.503","jenkins-1.504","jenkins-1.505","jenkins-1.506","jenkins-1.507","jenkins-1.508","jenkins-1.509","jenkins-1.509.1","jenkins-1.509.1-rc1","jenkins-1.509.1-rc2","jenkins-1.509.2","jenkins-1.509.2-rc1","jenkins-1.509.3","jenkins-1.509.3-rc1","jenkins-1.509.4","jenkins-1.509.4-rc1","jenkins-1.509.4-sp3","jenkins-1.510","jenkins-1.511","jenkins-1.512","jenkins-1.513","jenkins-1.514","jenkins-1.515","jenkins-1.516","jenkins-1.517","jenkins-1.518","jenkins-1.519","jenkins-1.520","jenkins-1.521","jenkins-1.522","jenkins-1.523","jenkins-1.524","jenkins-1.525","jenkins-1.526","jenkins-1.527","jenkins-1.528","jenkins-1.529","jenkins-1.530","jenkins-1.531","jenkins-1.532","jenkins-1.532.1","jenkins-1.532.1-rc1","jenkins-1.532.2","jenkins-1.532.3","jenkins-1.532.3-RC1","jenkins-1.533","jenkins-1.534","jenkins-1.535","jenkins-1.536","jenkins-1.537","jenkins-1.538","jenkins-1.539","jenkins-1.540","jenkins-1.541","jenkins-1.542","jenkins-1.543","jenkins-1.544","jenkins-1.545","jenkins-1.546","jenkins-1.547","jenkins-1.548","jenkins-1.549","jenkins-1.550","jenkins-1_396","jenkins-1_397","jenkins-1_398","jenkins-1_399","jenkins-1_400","jenkins-1_401","jenkins-1_402","jenkins-1_403","jenkins-1_404","jenkins-1_405","jenkins-1_406","jenkins-1_407","jenkins-1_408","jenkins-1_409","jenkins-1_410","jenkins-1_411","jenkins-1_412","jenkins-1_413","jenkins-1_414","jenkins-1_415","jenkins-2.321","jenkins-2.322","jenkins-2.323","jenkins-2.324","jenkins-2.325","jenkins-2.326","jenkins-2.327","jenkins-2.328","jenkins-2.329","jenkins-2.330","jenkins-2.331","jenkins-2.332","jenkins-2.332.1","jenkins-2.332.1-rc","jenkins-2.332.2","jenkins-2.332.2-rc","jenkins-2.332.2-rc-2","jenkins-2.332.3","jenkins-2.332.3-rc","jenkins-2.332.4","jenkins-2.333","prototype-1.5.1.1","prototype-1.7","unified-annotation-indexer"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43859.json","vanir_signatures":[{"digest":{"length":181,"function_hash":"55566688760790417229342517075763677048"},"id":"CVE-2021-43859-29d87ff6","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java","function":"testInstanceOfVoid"},"signature_version":"v1"},{"digest":{"length":158,"function_hash":"261717738691877522929827956336707666449"},"id":"CVE-2021-43859-3b92b93a","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java","function":"addCurrentElementToCollection"},"signature_version":"v1"},{"digest":{"length":381,"function_hash":"17231138287832600381894592100287068069"},"id":"CVE-2021-43859-42b4ae14","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java","function":"convert"},"signature_version":"v1"},{"digest":{"length":650,"function_hash":"220166040034801707177840403453687177859"},"id":"CVE-2021-43859-43f10a94","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java","function":"testCannotInjectEventHandler"},"signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["37669725065981372541361920149060037669","1754229239276929498699274070455340911","41982352291054190134426946505239413600","339132426552016436555085584248404447229","281190335896921026067654418042948691705","101836451350065470669588115209640466933","170069226330896549956587004495602417294","175405664480641811482846628989242555461","308344043568311556500843217578373648934","214661633136529325303486917787961611567","57524199966063753519088560374134026781","63361542330210864932936498280080202040","121377978789604838791055385342124703054","120564178264636159261842547107268022221","280309282135332622366291820899588071183","116140396242623306064878654562145661014","228659153108235947882753463685898110017","253465008515736530894371217708547114895","47604041726619113582236911670478212984","157827691179106628380218623395528602742","299357159731611816879190520786090623494","263325449489108397308033639618897227089","195855868307017984720518213082419999218","157827691179106628380218623395528602742","56570557617033010041633030400660432580","266269599569454697175169268514228635384"]},"id":"CVE-2021-43859-48fd1814","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Line","deprecated":false,"target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"signature_version":"v1"},{"digest":{"length":372,"function_hash":"158675721028694727290893110113569592667"},"id":"CVE-2021-43859-59287a06","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java","function":"unmarshal"},"signature_version":"v1"},{"digest":{"length":219,"function_hash":"86104287393050438777889317149321611565"},"id":"CVE-2021-43859-827b0ed4","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java","function":"putCurrentEntryIntoMap"},"signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["47133092775335648767215388072869838081","72897891070941714057763968897150290546","204876188397446628625129180757218716667","183977537466193036774603040383124982900","108738211081595398246856293798472960621","17550906770456504535387592149065180578","160816637933070719777862874531377453485","131320530687662887544912643709547885866","79469178477997099640743731152801113345"]},"id":"CVE-2021-43859-840ebf27","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Line","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java"},"signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["7616263090923437985525346265549616761","211219839203299185987365307554810409985","73721228261296255058296875540290052237","239913871774152437040395752063489313149","117725265296903224689269951407431455617","126617756455122379474158532832345634375","158235987049869476657084451570586380240","314118849962306354916524331560040293068","96433297052028480260787407611872064849","325820611125133184921877174183212096326","275047211673991781190008335997426805456","251899931567808305004438430281872370011","177754559542579598598790658770667215612","118738670761640002657491233549629791713","71362147945938633015783245649742152827","239637841955745921799253626664476578801","136908090792826903881571180858786345652","226208401357142230571642567540990195204","5923312382624037816122342231039016977","256450194889914305419909032943252724007","209578339882724276781126381994571211439","207821519896740168085970131722419024131","89998112668629298309028616244523277223","257848222184230265269703082711942417201","231035764628361720499571828605484840546","48705185870131617258729178622391399075","334353687146338771572110171878246600462","164655022164759611606439376066928116229","38013853609415735731977596616628687320"]},"id":"CVE-2021-43859-9f4d057d","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Line","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"signature_version":"v1"},{"digest":{"length":1357,"function_hash":"228474360994162782889542199712320720945"},"id":"CVE-2021-43859-ad6928e4","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java","function":"populateMap"},"signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["67983786004786075010774811532640513342","155251688185425872193164153142665759940","180982352636348001737525535511897856621","291635795756997543440780842469637458131","100411840036841395080916223528854409368","45659907922294160967612934064248224018","31472221394269137905746344083408247215","88563598898606841684968123180300453216"]},"id":"CVE-2021-43859-ad72fdf2","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Line","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java"},"signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["185869447222012862197413743734267332963","274937438635320053675547534042926965660","212113714018905300703044115447665097447","315082099377130877878551267537102060517","322595832639141750214961352993266288428","288516566081390833032506510066468270740","6674929763605018183272915908570643204","256753108423566523410138376942892651005"]},"id":"CVE-2021-43859-b91b8836","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Line","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java"},"signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["136451740817690776813850310762997082518","105753953192027108849418635246114421000","118882738501084926826075990972404281301","212020063483191151362987575288808695462","287333414921625036090543832290154043373","9891789946521726045761755493407333519","5559154755073053156556721280319387054","238112864466872781268528486106920449733"]},"id":"CVE-2021-43859-ccb9a04c","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Line","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java"},"signature_version":"v1"},{"digest":{"length":219,"function_hash":"11964886622017048364241710368819996484"},"id":"CVE-2021-43859-cf16e600","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java","function":"readFromStream"},"signature_version":"v1"},{"digest":{"length":873,"function_hash":"12709619694192487888878944821281014679"},"id":"CVE-2021-43859-df4b16d4","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java","function":"createObjectInputStream"},"signature_version":"v1"},{"digest":{"length":401,"function_hash":"253499341416318301251134402216259344937"},"id":"CVE-2021-43859-e2dd41b1","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Function","deprecated":false,"target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java","function":"testCannotUseJaxwsInputStreamToDeleteFile"},"signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["302436115647464791492807424592955265526","20337160572719266553945974133231939115","100606639916437884206076948162615070323"]},"id":"CVE-2021-43859-f898dd1d","source":"https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","signature_type":"Line","deprecated":false,"target":{"file":"xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java"},"signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.9.0"}]},{"events":[{"introduced":"8.0.0"},{"last_affected":"8.1.0"}]},{"events":[{"introduced":"8.2.0"},{"last_affected":"8.2.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.6.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}