Xygeni-Bumper - update 36 dependency versions#1
Merged
juliovargas merged 2 commits intomainfrom Oct 23, 2025
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛡️ Xygeni Bumper
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.7
🔍 Vulnerability Details
📝 Description
CVE-2013-7285 Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2013-7285
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21341 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21341
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.14-java7
🔍 Vulnerability Details
📝 Description
CVE-2020-26217 XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2020-26217
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.10
🔍 Vulnerability Details
📝 Description
CVE-2017-7957 XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2017-7957
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.19
🔍 Vulnerability Details
📝 Description
CVE-2021-43859 XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-43859
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.9
🔍 Vulnerability Details
📝 Description
CVE-2016-3674 Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2016-3674
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.20
🔍 Vulnerability Details
📝 Description
CVE-2022-41966 XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2022-41966
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39150 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39150
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39152 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39152
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39151 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39151
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39154 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39154
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39153 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39153
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39139 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39139
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39141 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39141
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39145 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39145
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39144 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39144
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39147 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39147
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39146 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39146
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39149 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39149
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39148 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39148
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.17
🔍 Vulnerability Details
📝 Description
CVE-2021-29505 XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-29505
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.21
🔍 Vulnerability Details
📝 Description
GHSA-hfq9-hggm-c56q XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream - ### Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.
Patches
XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.
Workarounds
The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072.
Credits
Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.
🔗 References
For more information, please refer to GHSA-hfq9-hggm-c56q
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21344 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21344
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21343 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21343
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21342 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21342
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21351 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21351
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21350 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21350
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21349 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21349
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21348 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21348
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21347 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21347
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21346 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21346
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.16
🔍 Vulnerability Details
📝 Description
CVE-2021-21345 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-21345
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.20
🔍 Vulnerability Details
📝 Description
CVE-2022-40151 Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2022-40151
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.18
🔍 Vulnerability Details
📝 Description
CVE-2021-39140 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
🔗 References
For more information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-39140
Bumps com.thoughtworks.xstream:xstream:1.4.5 to 1.4.19.redhat-00001
🔍 Vulnerability Details
📝 Description
GHSA-3mq5-fq9h-gj7j Duplicate Advisory: Denial of Service due to parser crash - ## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-f8cc-g7j8-xxpm. This link is maintained to preserve external references.
Original Description
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
🔗 References
For more information, please refer to GHSA-3mq5-fq9h-gj7j
Bumps org.bitbucket.b_c:jose4j:0.9.3 to 0.9.4
🔍 Vulnerability Details
📝 Description
GHSA-6qvw-249j-h44c jose4j denial of service via specifically crafted JWE - The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
🔗 References
For more information, please refer to GHSA-6qvw-249j-h44c