Skip to content

spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar: 63 vulnerabilities (highest severity is: 9.8) #18

New issue
New issue
Open
Open
spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar: 63 vulnerabilities (highest severity is: 9.8)#18
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jul 25, 2022
Vulnerable Library - spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar

Path to dependency file: /emart-eureka-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-cloud-starter-netflix-eureka-server version) Remediation Possible**
CVE-2023-20873 Critical 9.8 spring-boot-actuator-autoconfigure-2.1.0.RELEASE.jar Transitive 3.1.0
CVE-2013-7285 Critical 9.8 xstream-1.4.10.jar Transitive 2.1.3.RELEASE
WS-2018-0629 Critical 9.1 woodstox-core-5.0.3.jar Transitive 2.2.3.RELEASE
CVE-2021-39154 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39153 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39152 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39151 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39150 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39149 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39148 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39147 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39146 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39145 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39144 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39141 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2021-39139 High 8.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2022-41966 High 8.2 xstream-1.4.10.jar Transitive 3.0.0
CVE-2020-26217 High 8.0 xstream-1.4.10.jar Transitive 3.0.1
WS-2021-0419 High 7.7 gson-2.8.5.jar Transitive N/A*
CVE-2022-25647 High 7.7 gson-2.8.5.jar Transitive N/A*
CVE-2024-47072 High 7.5 xstream-1.4.10.jar Transitive 4.1.6
CVE-2024-30172 High 7.5 bcprov-jdk15on-1.60.jar Transitive N/A*
CVE-2024-29857 High 7.5 bcprov-jdk15on-1.60.jar Transitive N/A*
CVE-2022-45693 High 7.5 jettison-1.3.7.jar Transitive 4.1.1
CVE-2022-45685 High 7.5 jettison-1.3.7.jar Transitive 4.1.1
CVE-2021-43859 High 7.5 xstream-1.4.10.jar Transitive 2.1.3.RELEASE
CVE-2021-29505 High 7.5 xstream-1.4.10.jar Transitive 3.0.4
CVE-2021-21341 High 7.5 xstream-1.4.10.jar Transitive 3.0.3
CVE-2019-17359 High 7.5 bcprov-jdk15on-1.60.jar Transitive 2.1.5.RELEASE
CVE-2025-22228 High 7.4 spring-security-crypto-5.1.1.RELEASE.jar Transitive N/A*
CVE-2020-26259 Medium 6.8 xstream-1.4.10.jar Transitive 2.2.9.RELEASE
WS-2019-0379 Medium 6.5 commons-codec-1.11.jar Transitive N/A*
CVE-2025-46392 Medium 6.5 commons-configuration-1.8.jar Transitive N/A*
CVE-2022-40152 Medium 6.5 woodstox-core-5.0.3.jar Transitive 2.2.9.RELEASE
CVE-2022-40151 Medium 6.5 xstream-1.4.10.jar Transitive 4.1.3
CVE-2022-40150 Medium 6.5 jettison-1.3.7.jar Transitive 4.1.1
CVE-2022-40149 Medium 6.5 jettison-1.3.7.jar Transitive 4.1.1
CVE-2021-39140 Medium 6.5 xstream-1.4.10.jar Transitive 3.0.5
CVE-2020-5408 Medium 6.5 spring-security-crypto-5.1.1.RELEASE.jar Transitive 2.2.0.RELEASE
CVE-2020-26258 Medium 6.3 xstream-1.4.10.jar Transitive 2.2.9.RELEASE
CVE-2021-21349 Medium 6.1 xstream-1.4.10.jar Transitive 3.0.3
CVE-2021-21347 Medium 6.1 xstream-1.4.10.jar Transitive 3.0.3
CVE-2021-21346 Medium 6.1 xstream-1.4.10.jar Transitive 3.0.3
CVE-2024-30171 Medium 5.9 bcprov-jdk15on-1.60.jar Transitive N/A*
CVE-2023-1436 Medium 5.9 jettison-1.3.7.jar Transitive 4.1.1
CVE-2020-15522 Medium 5.9 bcprov-jdk15on-1.60.jar Transitive 3.0.3
CVE-2021-21345 Medium 5.8 xstream-1.4.10.jar Transitive 3.0.3
CVE-2023-33202 Medium 5.5 bcprov-jdk15on-1.60.jar Transitive N/A*
CVE-2023-2976 Medium 5.5 guava-16.0.jar Transitive N/A*
CVE-2021-21351 Medium 5.4 xstream-1.4.10.jar Transitive 3.0.3
CVE-2025-48924 Medium 5.3 commons-lang-2.6.jar Transitive N/A*
CVE-2023-34055 Medium 5.3 spring-boot-actuator-2.1.0.RELEASE.jar Transitive 4.0.0
CVE-2023-33201 Medium 5.3 bcprov-jdk15on-1.60.jar Transitive N/A*
CVE-2022-22976 Medium 5.3 spring-security-crypto-5.1.1.RELEASE.jar Transitive 4.1.0
CVE-2021-21350 Medium 5.3 xstream-1.4.10.jar Transitive 3.0.3
CVE-2021-21348 Medium 5.3 xstream-1.4.10.jar Transitive 3.0.3
CVE-2021-21344 Medium 5.3 xstream-1.4.10.jar Transitive 3.0.3
CVE-2021-21343 Medium 5.3 xstream-1.4.10.jar Transitive 3.0.3
CVE-2021-21342 Medium 5.3 xstream-1.4.10.jar Transitive 3.0.3
CVE-2020-26939 Medium 5.3 bcprov-jdk15on-1.60.jar Transitive 2.1.5.RELEASE
CVE-2020-13956 Medium 5.3 httpclient-4.5.6.jar Transitive N/A*
CVE-2024-38827 Medium 4.8 spring-security-crypto-5.1.1.RELEASE.jar Transitive 4.1.0
CVE-2020-8908 Low 3.3 guava-16.0.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-20873

Vulnerable Library - spring-boot-actuator-autoconfigure-2.1.0.RELEASE.jar

Spring Boot Actuator AutoConfigure

Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-actuator-autoconfigure

Path to dependency file: /emart-eureka-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/2.1.0.RELEASE/spring-boot-actuator-autoconfigure-2.1.0.RELEASE.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • spring-boot-starter-actuator-2.1.0.RELEASE.jar
        • spring-boot-actuator-autoconfigure-2.1.0.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

Publish Date: 2023-04-20

URL: CVE-2023-20873

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20873

Release Date: 2023-04-20

Fix Resolution (org.springframework.boot:spring-boot-actuator-autoconfigure): 2.5.15

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.1.0

Step up your Open Source Security Game with Mend here

CVE-2013-7285

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Publish Date: 2019-05-15

URL: CVE-2013-7285

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285

Release Date: 2019-05-15

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.10-java7

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 2.1.3.RELEASE

Step up your Open Source Security Game with Mend here

WS-2018-0629

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: http://fasterxml.com

Path to dependency file: /emart-eureka-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • jackson-dataformat-xml-2.9.7.jar
        • woodstox-core-5.0.3.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

The woodstox-core package is vulnerable to improper restriction of XXE reference.

Publish Date: 2018-08-23

URL: WS-2018-0629

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-08-23

Fix Resolution (com.fasterxml.woodstox:woodstox-core): 5.3.0

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 2.2.3.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2021-39154

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39154

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6w62-hx7r-mw68

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39153

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39153

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39152

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the "Security Framework" (https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2021-08-23

URL: CVE-2021-39152

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xw4p-crpj-vjx2

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39151

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39151

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hph2-m3g5-xxv4

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39150

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the "Security Framework" (https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2021-08-23

URL: CVE-2021-39150

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hph2-m3g5-xxv4

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39149

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39149

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ccq-5vw3-2p6x

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39148

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39148

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrx8-8545-4wg2

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39147

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39147

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7v4-7xg3-hxcc

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39146

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39146

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8pq-r894-fm8f

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39145

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39145

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8jrj-525p-826v

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39144

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39144

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j9h8-phrw-h4fh

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39141

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39141

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g5w6-mrj7-75h2

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-39139

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /emart-user-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy:

  • spring-cloud-starter-netflix-eureka-server-2.1.0.RELEASE.jar (Root Library)
    • spring-cloud-netflix-eureka-server-2.1.0.RELEASE.jar
      • xstream-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 9e2cdf0fabfba0aa30b3a80420cea42d1b714754

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39139

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-64xx-cq4q-mf44

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-server): 3.0.5

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions