What is the trigger condition of CVE-2022-40156 CVE-2022-40153 CVE-2022-40154 CVE-2022-40155, XStream. fromXML? Is the version affected only when XStream.fromXML is called?
Closed this issue ยท 8 comments
will there be a security update?
Related to the current version, and not exactly sure where to post the comment. But wondering when aa new version may be available that addresses the 9 vulns currently affecting version 1.4.19
https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream/1.4.19
Any News about that CVE's and their fixes?
Best regards
Also looking for an update on the Open CVEs against Xstream
CVE-2022-40156
CVE-2022-40155
CVE-2022-40154
CVE-2022-40153
CVE-2022-40152
CVE-2022-40151
#304 appears to also mention these CVEs. Will that ticket cover all CVE's above?
Jenkins uses this xstream & the grace period is also over (expired 6 days ago) for the CVE's (CVE-2022-40152, CVE-2022-40151)
When we can expect the fix ?
I've come here after getting CVE warnings too. Based on #262, I suspect most users should consider switching to alternative APIs/libs - eg XMLInputFactory (StAX parsing), jackson-dataformat-xml, JAXB, etc.
Thanks @joehni for maintaining this great library. Those OSS Fuzz guys are causing real chaos in the OSS community. They should try much harder to engage with lib maintainers before raising the CVEs.
I agree, XStream is an amazing library! @pjfanning , maybe i misunderstood, but is there news of the XStream project closing that you suggest switching to alternatives and giving (well deserved) thanks to @joehni ?