Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xstream vulnerability - Later version 1.4.18 issue #25

Open
brownmb opened this issue Jan 4, 2022 · 1 comment
Open

xstream vulnerability - Later version 1.4.18 issue #25

brownmb opened this issue Jan 4, 2022 · 1 comment

Comments

@brownmb
Copy link

brownmb commented Jan 4, 2022

A security scan shows issues with the xstream version dependant in this current Pom.

Updating to 1.4.18 causes an exception:

22-01-04 14:08:47, SPY, WARN , CRITICAL, Failed send SMS via Esendex-Rest Service
com.thoughtworks.xstream.security.ForbiddenClassException: esendex.sdk.java.model.transfer.message.MessageCollectionResponseDto
at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1391) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1376) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1261) ~[xstream-1.4.18.jar:1.4.18]
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1252) ~[xstream-1.4.18.jar:1.4.18]
at esendex.sdk.java.parser.xstream.XStreamParser.fromXml(XStreamParser.java:129) ~[esendex-java-sdk-4.0.2.jar:?]
at esendex.sdk.java.service.resource.base.XmlResponder.createResponseObject(XmlResponder.java:41) ~[esendex-java-sdk-4.0.2.jar:?]
at esendex.sdk.java.service.resource.base.XmlResponder.(XmlResponder.java:35) ~[esendex-java-sdk-4.0.2.jar:?]
at esendex.sdk.java.service.resource.base.XmlRequesterResponderResource.execute(XmlRequesterResponderResource.java:59) ~[esendex-java-sdk-4.0.2.jar:?]
at esendex.sdk.java.service.impl.MessagingServiceImpl.send(MessagingServiceImpl.java:129) ~[esendex-java-sdk-4.0.2.jar:?]
at esendex.sdk.java.service.impl.MessagingServiceImpl.send(MessagingServiceImpl.java:111) ~[esendex-java-sdk-4.0.2.jar:?]
at esendex.sdk.java.service.impl.MessagingServiceImpl.sendMessages(MessagingServiceImpl.java:59) ~[esendex-java-sdk-4.0.2.jar:?]
@Lonzak
Copy link

Lonzak commented Aug 1, 2023

In the current version 1.4.19 is used but this version is still vulnerable.
Version 1.4.20 should be used. There is a bit of discussion going on whether this version is secure or not but it is the best out there currently...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lonzak @brownmb