<com.thoughtworks.xstream.XStream: void setupSecurity()>
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,com.thoughtworks.xstream.core.ClassLoaderReference,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.converters.ConverterLookup,com.thoughtworks.xstream.converters.ConverterRegistry)> (com.thoughtworks.xstream.XStream.java:[571]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,com.thoughtworks.xstream.core.ClassLoaderReference,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.core.DefaultConverterLookup)> (com.thoughtworks.xstream.XStream.java:[496]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,java.lang.ClassLoader,com.thoughtworks.xstream.mapper.Mapper)> (com.thoughtworks.xstream.XStream.java:[465]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.io.HierarchicalStreamDriver)> (com.thoughtworks.xstream.XStream.java:[411]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.io.HierarchicalStreamDriver)> (com.thoughtworks.xstream.XStream.java:[378]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.jonnyliu.proj.wechat.utils.MessageUtils: com.thoughtworks.xstream.XStream newXStreamInstance()> (com.jonnyliu.proj.wechat.utils.MessageUtils.java:[50]) in /detect/unzip/wechat-core-master/target/classes
at <com.jonnyliu.proj.wechat.utils.MessageUtils: java.lang.Object xml2Message(java.lang.String,java.lang.Class)> (com.jonnyliu.proj.wechat.utils.MessageUtils.java:[289]) in /detect/unzip/wechat-core-master/target/classes
Hi, In wechat-core,there is a dependency com.thoughtworks.xstream:xstream:1.4.8 that calls the risk method.
CVE-2021-29505
The scope of this CVE affected version is [,1.4.17)
After further analysis, in this project, the main Api called is <com.thoughtworks.xstream.XStream: void setupSecurity()>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 9
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.