Hi Wadeck,
On Thursday, 12. August 2021, 10:40:28 CEST Wadeck Follonier wrote:
> Hello there,
>
> We are using Anchore to scan our code and it detected a vulnerability
> VULNDB-264109, in XStream 1.4.17 with as the only information, the two
> "CVE"s provided in the title. The two references do not contain any
> security information to let us understand what is the problem, how to fix
> it, etc.
>
> References:
> -
https://www.cnvd.org.cn/flaw/show/CNVD-2021-40246
> -
https://www.cnvd.org.cn/flaw/show/CNVD-2021-40248
>
> So, do you have any information / guidance for us about how to manage this?
Actually I have no clue about the content of those reports, I cannot read them
and I didn't know that they are existing. However, I have been flooded with
security issues and my complete spare time in the last month were filled with
writing CVE reports.
Any issue targets the default black list in combination with some stuff in the
Java runtime. Since I have better things to do than writing CVE reports, next
XStream version will install a whitelist by default.
> Best regards,
>
> Wadeck Follonier
> Jenkins Security team
AFAICS, Jenkins uses its own security model in combination with XStream. In
this case don't think it is affected by any of the reports.
Regards,
Jörg