What is the trigger condition of CVE-2022-40156 CVE-2022-40153 CVE-2022-40154 CVE-2022-40155, XStream. fromXML? Is the version affected only when XStream.fromXML is called? #311
Comments
|
will there be a security update? |
|
Related to the current version, and not exactly sure where to post the comment. But wondering when aa new version may be available that addresses the 9 vulns currently affecting version 1.4.19 |
|
Any News about that CVE's and their fixes? Best regards |
|
Also looking for an update on the Open CVEs against Xstream |
|
Jenkins uses this xstream & the grace period is also over (expired 6 days ago) for the CVE's (CVE-2022-40152, CVE-2022-40151) |
|
I've come here after getting CVE warnings too. Based on #262, I suspect most users should consider switching to alternative APIs/libs - eg XMLInputFactory (StAX parsing), jackson-dataformat-xml, JAXB, etc. Thanks @joehni for maintaining this great library. Those OSS Fuzz guys are causing real chaos in the OSS community. They should try much harder to engage with lib maintainers before raising the CVEs. |
|
I agree, XStream is an amazing library! @pjfanning , maybe i misunderstood, but is there news of the XStream project closing that you suggest switching to alternatives and giving (well deserved) thanks to @joehni ? |
|
As most of you may have noticed, XStream cannot do anything about CVEs 2022-40152 to 2022-40156. Apart from that this ticket simply duplifies #304. |
No description provided.
The text was updated successfully, but these errors were encountered: