CVE-2021-39150: 
Java vulnerability analysis and mitigation

XStream, a Java library used to serialize objects to XML and back again, was found to contain a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2021-39150. The vulnerability affects all versions up to and including 1.4.17 when using Java runtime versions 8 through 14. The issue was discovered and disclosed in August 2021 (XStream CVE, GitHub Advisory).

The vulnerability occurs during the unmarshalling process when XStream creates new instances based on type information contained in the processed stream. An attacker can manipulate the input stream to replace or inject objects that result in a server-side forgery request. The vulnerability has been assigned a CVSS v3.1 base score of 8.5 (HIGH) with the vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

When successfully exploited, this vulnerability allows remote attackers to request data from internal resources that are not publicly accessible by manipulating the processed input stream. This could potentially lead to unauthorized access to internal network resources or sensitive data (XStream CVE).

The vulnerability has been fixed in XStream version 1.4.18. Users are strongly recommended to upgrade to this version or later. For those unable to upgrade immediately, implementing XStream's security framework with a whitelist limited to the minimal required types provides protection against this vulnerability (GitHub Advisory).

Multiple organizations and vendors have acknowledged this vulnerability and released security advisories, including Red Hat, Oracle, NetApp, and Debian. These vendors have subsequently released patches and updates for their affected products (NetApp Advisory, Debian Advisory).