Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #1149

CVEDetect · 2023-04-12T02:20:22Z

Hi, In /，there is a dependency com.thoughtworks.xstream:xstream:1.4.19 that calls the risk method.

CVE-2022-41966

The scope of this CVE affected version is [,1.4.20)

After further analysis, in this project, the main Api called is com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object,com.thoughtworks.xstream.converters.DataHolder)Ljava.lang.Object;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

org.powertac.common.repo.BootstrapDataRepo: readBootRecord(java.net.URL)V /download/apache-maven-3.6.3/repository_mount/org/powertac/common/1.9.0-SNAPSHOT/common-1.9.0-SNAPSHOT.jar
org.powertac.common.XMLMessageConverter: fromXML(java.lang.String)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/powertac/common/1.9.0-SNAPSHOT/common-1.9.0-SNAPSHOT.jar
com.thoughtworks.xstream.XStream: fromXML(java.lang.String)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/io/github/x-stream/mxparser/1.2.2/mxparser-1.2.2.jar
com.thoughtworks.xstream.XStream: fromXML(java.io.Reader)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/io/github/x-stream/mxparser/1.2.2/mxparser-1.2.2.jar
com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/io/github/x-stream/mxparser/1.2.2/mxparser-1.2.2.jar
com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object,com.thoughtworks.xstream.converters.DataHolder)Ljava.lang.Object;

Dependency tree--

[INFO] org.powertac:powertac-server:pom:1.9.0-SNAPSHOT
[INFO] +- org.powertac:common:jar:1.9.0-SNAPSHOT:compile
[INFO] |  +- org.powertac:powertac-metadata:jar:1.9.0-SNAPSHOT:compile
[INFO] |  +- org.powertac:powertac-aop:jar:1.9.0-SNAPSHOT:compile
[INFO] |  |  +- org.aspectj:aspectjrt:jar:1.9.7:compile
[INFO] |  |  \- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  |     \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  +- org.springframework:spring-core:jar:5.3.20:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.20:compile
[INFO] |  +- org.springframework:spring-context:jar:5.3.20:compile
[INFO] |  |  \- org.springframework:spring-expression:jar:5.3.20:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.3.20:compile
[INFO] |  +- org.springframework:spring-beans:jar:5.3.20:compile
[INFO] |  +- org.springframework:spring-test:jar:5.3.20:compile
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
[INFO] |  +- org.apache.logging.log4j:log4j-jcl:jar:2.17.1:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.28:compile
[INFO] |  +- javax.jms:javax.jms-api:jar:2.0.1:compile
[INFO] |  +- joda-time:joda-time:jar:2.10.3:compile
[INFO] |  +- com.thoughtworks.xstream:xstream:jar:1.4.19:compile
[INFO] |  |  \- io.github.x-stream:mxparser:jar:1.2.2:compile
[INFO] |  |     \- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  +- org.apache.commons:commons-configuration2:jar:2.8.0:compile
[INFO] |  |  \- org.apache.commons:commons-text:jar:1.9:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.9:compile
[INFO] +- org.mockito:mockito-core:jar:3.12.4:test
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.11.13:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test
[INFO] |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] \- org.junit.jupiter:junit-jupiter:jar:5.5.1:test
[INFO]    +- org.junit.jupiter:junit-jupiter-api:jar:5.5.1:test
[INFO]    |  +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO]    |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO]    |  \- org.junit.platform:junit-platform-commons:jar:1.5.1:test
[INFO]    +- org.junit.jupiter:junit-jupiter-params:jar:5.5.1:test
[INFO]    \- org.junit.jupiter:junit-jupiter-engine:jar:5.5.1:test
[INFO]       \- org.junit.platform:junit-platform-engine:jar:1.5.1:test

Suggested solutions:

Update dependency version

Thank you very much.

The text was updated successfully, but these errors were encountered:

CVEDetect mentioned this issue Apr 12, 2023

Fix CVE dependency issue #1150

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #1149

Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #1149

CVEDetect commented Apr 12, 2023

Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #1149

Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #1149

Comments

CVEDetect commented Apr 12, 2023