spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar: 80 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-github-com[bot]]

Vulnerable Library - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-cloud-starter-netflix-eureka-client version)	Remediation Possible**	Reachability
CVE-2013-7285	Critical	9.8	Not Defined	43.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39154	High	8.5	Not Defined	3.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39153	High	8.5	Not Defined	3.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39152	High	8.5	Not Defined	1.9%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39151	High	8.5	Not Defined	3.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39149	High	8.5	Not Defined	3.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39148	High	8.5	Not Defined	3.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39147	High	8.5	Not Defined	3.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39146	High	8.5	Not Defined	21.3%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39145	High	8.5	Not Defined	1.9%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-39144	High	8.5	High	96.7%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2022-41966	High	8.2	Not Defined	1.0%	xstream-1.4.10.jar	Transitive	3.0.0	✅	Reachable
CVE-2020-26217	High	8.0	Not Defined	97.399994%	xstream-1.4.10.jar	Transitive	3.0.1	✅	Reachable
WS-2021-0419	High	7.7	Not Defined		gson-2.8.0.jar	Transitive	N/A*	❌	Reachable
CVE-2022-25647	High	7.7	Not Defined	0.70000005%	gson-2.8.0.jar	Transitive	N/A*	❌	Reachable
CVE-2020-26258	High	7.7	Not Defined	91.7%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2024-29857	High	7.5	Not Defined		bcprov-jdk15on-1.55.jar	Transitive	N/A*	❌	Reachable
CVE-2022-45693	High	7.5	Not Defined	0.1%	jettison-1.3.7.jar	Transitive	4.1.1	✅	Reachable
CVE-2022-45685	High	7.5	Not Defined	0.1%	jettison-1.3.7.jar	Transitive	4.1.1	✅	Reachable
CVE-2021-43859	High	7.5	Not Defined	2.1%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-29505	High	7.5	Not Defined	4.8%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2021-21341	High	7.5	Not Defined	1.1%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2019-17359	High	7.5	Not Defined	0.6%	bcprov-jdk15on-1.55.jar	Transitive	2.1.5.RELEASE	✅	Reachable
CVE-2016-1000342	High	7.5	Not Defined	0.4%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2016-1000340	High	7.5	Not Defined	0.2%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-26259	Medium	6.8	Not Defined	60.3%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2022-40149	Medium	6.5	Not Defined	0.2%	jettison-1.3.7.jar	Transitive	4.1.1	✅	Reachable
CVE-2021-39140	Medium	6.5	Not Defined	1.8%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Reachable
CVE-2020-5408	Medium	6.5	Not Defined	0.1%	spring-security-crypto-4.2.1.RELEASE.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2021-21349	Medium	6.1	Not Defined	1.5%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21347	Medium	6.1	Not Defined	1.8%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21346	Medium	6.1	Not Defined	1.8%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2023-1436	Medium	5.9	Not Defined	0.1%	jettison-1.3.7.jar	Transitive	4.1.1	✅	Reachable
CVE-2020-15522	Medium	5.9	Not Defined	0.1%	bcprov-jdk15on-1.55.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21345	Medium	5.8	Not Defined	12.0%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21351	Medium	5.4	Not Defined	60.5%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21350	Medium	5.3	Not Defined	1.8%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21348	Medium	5.3	Not Defined	2.3%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21344	Medium	5.3	Not Defined	1.8%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21343	Medium	5.3	Not Defined	0.5%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2021-21342	Medium	5.3	Not Defined	1.0%	xstream-1.4.10.jar	Transitive	3.0.3	✅	Reachable
CVE-2019-10173	Critical	9.8	Not Defined	93.2%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Unreachable
CVE-2019-20445	Critical	9.1	Not Defined	0.2%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2019-20444	Critical	9.1	Not Defined	0.9%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2021-39150	High	8.5	Not Defined	1.3000001%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Unreachable
CVE-2021-39141	High	8.5	Not Defined	24.0%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Unreachable
CVE-2021-39139	High	8.5	Not Defined	3.5%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Unreachable
CVE-2021-37137	High	7.5	Not Defined	1.4000001%	netty-codec-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2021-37136	High	7.5	Not Defined	1.4000001%	netty-codec-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2020-7238	High	7.5	Not Defined	0.4%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2019-16869	High	7.5	Not Defined	2.2%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2018-1000180	High	7.5	Not Defined	0.5%	bcprov-jdk15on-1.55.jar	Transitive	2.0.2.RELEASE	✅	Unreachable
CVE-2016-4970	High	7.5	Not Defined	1.5%	netty-handler-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2016-1000343	High	7.5	Not Defined	0.4%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2016-1000338	High	7.5	Not Defined	0.6%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2015-2156	High	7.5	Not Defined	0.6%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
WS-2020-0408	High	7.4	Not Defined		netty-handler-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2016-1000352	High	7.4	Not Defined	0.2%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2016-1000344	High	7.4	Not Defined	0.2%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2023-34462	Medium	6.5	Not Defined	0.1%	netty-handler-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2022-40151	Medium	6.5	Not Defined	0.8%	xstream-1.4.10.jar	Transitive	1.4.1.RELEASE	✅	Unreachable
CVE-2022-40150	Medium	6.5	Not Defined	0.1%	jettison-1.3.7.jar	Transitive	4.1.1	✅	Unreachable
CVE-2021-43797	Medium	6.5	Not Defined	0.4%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2021-21290	Medium	6.2	Not Defined	0.0%	detected in multiple dependencies	Transitive	3.0.0	✅	Unreachable
CVE-2021-21295	Medium	5.9	Not Defined	16.2%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2016-1000341	Medium	5.9	Not Defined	0.4%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2022-24823	Medium	5.5	Not Defined	0.0%	netty-common-4.0.27.Final.jar	Transitive	N/A*	❌	Unreachable
CVE-2024-29025	Medium	5.3	Not Defined	0.0%	netty-codec-http-4.0.27.Final.jar	Transitive	3.0.0	✅	Unreachable
CVE-2023-33201	Medium	5.3	Not Defined	0.1%	bcprov-jdk15on-1.55.jar	Transitive	N/A*	❌	Unreachable
CVE-2021-22113	Medium	5.3	Not Defined	0.1%	spring-cloud-netflix-core-1.2.0.RELEASE.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2020-26939	Medium	5.3	Not Defined	0.1%	bcprov-jdk15on-1.55.jar	Transitive	2.1.5.RELEASE	✅	Unreachable
CVE-2016-1000339	Medium	5.3	Not Defined	0.3%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2016-1000346	Low	3.7	Not Defined	0.3%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2016-1000345	Low	3.7	Not Defined	0.4%	bcprov-jdk15on-1.55.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2024-47072	High	7.5	Not Defined	0.0%	xstream-1.4.10.jar	Transitive	N/A*	❌
CVE-2024-30172	High	7.5	Not Defined	0.0%	bcprov-jdk15on-1.55.jar	Transitive	N/A*	❌
CVE-2024-30171	Medium	5.9	Not Defined	0.0%	bcprov-jdk15on-1.55.jar	Transitive	N/A*	❌
CVE-2024-47535	Medium	5.5	Not Defined	0.0%	netty-common-4.0.27.Final.jar	Transitive	3.0.0	✅
CVE-2023-33202	Medium	5.5	Not Defined	0.0%	bcprov-jdk15on-1.55.jar	Transitive	N/A*	❌
CVE-2024-38827	Medium	4.8	Not Defined		spring-security-crypto-4.2.1.RELEASE.jar	Transitive	4.1.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (9 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2013-7285

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Publish Date: 2019-05-15

URL: CVE-2013-7285

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 43.0%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285

Release Date: 2019-05-15

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.10-java7

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39154

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39154

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.0%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39153

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39153

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.0%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39152

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.

Publish Date: 2021-08-23

URL: CVE-2021-39152

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.9%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39151

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39151

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.0%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39149

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39149

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.0%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39148

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39148

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.0%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39147

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39147

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.0%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-39146

### Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar

Dependency Hierarchy: - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library) - eureka-client-1.4.11.jar - :x: **xstream-1.4.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` com.thoughtworks.xstream.XStream (Application) -> ❌ org.joychou.controller.XStreamRce (Vulnerable Component) ```

### Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39146

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 21.3%

### CVSS 3 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f

Release Date: 2021-08-23

Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18

Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.