Hi,
On Thursday, 3. June 2021, 18:49:52 CEST arup das wrote:
> Hi --
>
> We are facing CVE-2020-26217 vulnerability on xstream.jar version 1.4.13 on
> java 11. We are not directly referencing this jar as any dependency in our
> Springboot micro-services but the jar is auto-downloading as part of
> dependency hierarchy for Springboot 2.3.7. Evene though we upgraded to
> Springboot 2.4.5, same version of jar getting downloaded.
>
> We tried another approach by defining force dependency in pom.xml to
> include 1.4.17 but due to java 11 incompatibility, microservice app is not
> starting up.
I don't know of any incompatibility to Java 11.
> Q: Is there a way we can get 1.4.17 for java 11 ?
I run it in Java 16. Travis CI runs it with Java 11.
> Q: Is there a way we can override the configuration file for Springboot to
> incorporate latest xstream version ?
Sorry, but I don't know Springboot.
Regards,
Jörg