spring-cloud-starter-netflix-eureka-client depending on xstream #1
Comments
|
+1 to this - my team is actively working on determining how we can consider these CVE's mitigated or how we must address them in conjunction with our IT Security. Would love to hear some thoughts on it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Hi,
Currently, we are using Spring Cloud Hoxton.SR2 and our application has a dependency on the library spring-cloud-starter-netflix-eureka-client. Apparently, this library depends on a library, xstream.jar, which has couple of vulnerabilities. Unfortunately, even if we upgrade to latest version of Spring Cloud, it still includes a version of xstream that has these vulnerabilities.
However, with the way xstream is used by Spring Cloud, we really want to know if there is a vulnerability or not from your perspective. Advisories from Xstream shown below indicate what could cause these vulnerabilities. It would help if Spring Cloud can confirm this for us so that we can continue to use spring-cloud-starter-netflix-eureka-client as-is if this is not a concern
Advisory from Xstream:
https://x-stream.github.io/CVE-2020-26259.html
https://x-stream.github.io/CVE-2020-26217.html
The text was updated successfully, but these errors were encountered: