CVE-2021-21348: 
MySQL vulnerability analysis and mitigation

CVE-2021-21348 affects XStream, a Java library to serialize objects to XML and back again, in versions before 1.4.16. The vulnerability allows a remote attacker to occupy a thread that consumes maximum CPU time and will never return through a Regular Expression Denial of Service (ReDoS) attack. The vulnerability was discovered and reported by threedr3am (GitHub Advisory).

The vulnerability exists in XStream's unmarshalling process where the processed stream contains type information to recreate previously written objects. An attacker can manipulate the input stream and replace or inject objects that result in the evaluation of a malicious regular expression, causing a denial of service. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows a remote attacker to cause a Denial of Service by occupying a thread that consumes maximum CPU time and never returns. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types (XStream CVE).

Users should upgrade to XStream version 1.4.16 or later. For users who cannot upgrade, the recommended workaround is to setup XStream's security framework with a whitelist limited to the minimal required types. For versions 1.4.7 to 1.4.15, users can implement specific security permissions and type denials as detailed in XStream's security documentation (XStream Security).