Regarding Security Vulnerability ~ CVE-2020-26217 xstream 1.4.13 on Java 11
45 views
Skip to first unread message
arup das
Jun 3, 2021, 12:49:52 PM6/3/21
to XStream User
Hi --
We are facing CVE-2020-26217 vulnerability on xstream.jar version 1.4.13 on java 11. We are not directly referencing this jar as any dependency in our Springboot micro-services but the jar is auto-downloading as part of dependency hierarchy for Springboot 2.3.7. Evene though we upgraded to Springboot 2.4.5, same version of jar getting downloaded.
We tried another approach by defining force dependency in pom.xml to include 1.4.17 but due to java 11 incompatibility, microservice app is not starting up.
Q: Is there a way we can get 1.4.17 for java 11 ?
Q: Is there a way we can override the configuration file for Springboot to incorporate latest xstream version ?
Thanks,
Arup
Jörg Schaible
Jun 7, 2021, 5:51:46 PM6/7/21
to XStream User
Hi,
On Thursday, 3. June 2021, 18:49:52 CEST arup das wrote:
> Hi --
>
> We are facing CVE-2020-26217 vulnerability on xstream.jar version 1.4.13 on
> java 11. We are not directly referencing this jar as any dependency in our
> Springboot micro-services but the jar is auto-downloading as part of
> dependency hierarchy for Springboot 2.3.7. Evene though we upgraded to
> Springboot 2.4.5, same version of jar getting downloaded.
>
> We tried another approach by defining force dependency in pom.xml to
> include 1.4.17 but due to java 11 incompatibility, microservice app is not
> starting up.
I don't know of any incompatibility to Java 11.
> Q: Is there a way we can get 1.4.17 for java 11 ?
I run it in Java 16. Travis CI runs it with Java 11.
> Q: Is there a way we can override the configuration file for Springboot to
> incorporate latest xstream version ?
Sorry, but I don't know Springboot.
Regards,
Jörg
On Thursday, 3. June 2021, 18:49:52 CEST arup das wrote:
> Hi --
>
> We are facing CVE-2020-26217 vulnerability on xstream.jar version 1.4.13 on
> java 11. We are not directly referencing this jar as any dependency in our
> Springboot micro-services but the jar is auto-downloading as part of
> dependency hierarchy for Springboot 2.3.7. Evene though we upgraded to
> Springboot 2.4.5, same version of jar getting downloaded.
>
> We tried another approach by defining force dependency in pom.xml to
> include 1.4.17 but due to java 11 incompatibility, microservice app is not
> starting up.
> Q: Is there a way we can get 1.4.17 for java 11 ?
> Q: Is there a way we can override the configuration file for Springboot to
> incorporate latest xstream version ?
Regards,
Jörg
Reply all
Reply to author
Forward
0 new messages