CVE-2021-39153

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18

Description This issue may allow a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. Users who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected. The vulnerability is related to the use of a blacklist by default, which cannot be secured for general purpose.

Recommendations For versions prior to 1.4.18, consider setting up XStream's security framework with a whitelist limited to the minimal required types to mitigate the risk of exploitation. As a temporary workaround, consider restricting the use of the vulnerable library until a patch is available. For XStream version 1.4.18 and later, no additional action is required since it no longer uses a blacklist by default.