Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #317

Open
CVEDetect opened this issue Apr 14, 2023 · 0 comments
Open

Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #317

CVEDetect opened this issue Apr 14, 2023 · 0 comments
Labels
needs-triage

Comments

@CVEDetect
Copy link

Hi, In /source/test,there is a dependency com.thoughtworks.xstream:xstream:1.4.18 that calls the risk method.

CVE-2021-43859

The scope of this CVE affected version is [,1.4.19)

After further analysis, in this project, the main Api called is com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object,com.thoughtworks.xstream.converters.DataHolder)Ljava.lang.Object;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

org.bf2.test.k8s.cmdClient.BaseCmdKubeClient: delete(java.io.File[])Lorg.bf2.test.k8s.cmdClient.BaseCmdKubeClient; /download/apache-maven-3.6.3/repository_mount/io/quarkus/quarkus-fs-util/0.0.3/quarkus-fs-util-0.0.3.jar
com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy$XmlMapEntriesIterator$1: getValue()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy: access$600(com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy,java.io.File)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy: readFile(java.io.File)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.XStream: fromXML(java.io.Reader)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object,com.thoughtworks.xstream.converters.DataHolder)Ljava.lang.Object;

Dependency tree--

[INFO] cloud.redhat.com:test:jar:1.0.0-SNAPSHOT
[INFO] +- io.quarkus:quarkus-kubernetes-client:jar:2.6.1.Final:compile
[INFO] |  +- io.quarkus:quarkus-arc:jar:2.6.1.Final:compile
[INFO] |  |  +- io.quarkus.arc:arc:jar:2.6.1.Final:compile
[INFO] |  |  |  \- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile
[INFO] |  |  \- org.eclipse.microprofile.context-propagation:microprofile-context-propagation-api:jar:1.2:compile
[INFO] |  +- io.quarkus:quarkus-kubernetes-client-internal:jar:2.6.1.Final:compile
[INFO] |  +- io.quarkus:quarkus-jackson:jar:2.6.1.Final:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.12.6:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.12.6:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.12.6:compile
[INFO] |  +- io.fabric8:kubernetes-client:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-core:jar:5.10.1:compile
[INFO] |  |  |  \- io.fabric8:kubernetes-model-common:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-rbac:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-admissionregistration:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-apps:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-autoscaling:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-apiextensions:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-batch:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-certificates:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-coordination:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-discovery:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-events:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-extensions:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-flowcontrol:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-networking:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-metrics:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-policy:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-scheduling:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-storageclass:jar:5.10.1:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-node:jar:5.10.1:compile
[INFO] |  |  +- com.squareup.okhttp3:okhttp:jar:3.14.9:compile
[INFO] |  |  |  \- com.squareup.okio:okio:jar:1.17.2:compile
[INFO] |  |  +- com.squareup.okhttp3:logging-interceptor:jar:3.14.9:compile
[INFO] |  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.6:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] |  |  +- io.fabric8:zjsonpatch:jar:0.3.0:compile
[INFO] |  |  \- com.github.mifmif:generex:jar:1.0.2:compile
[INFO] |  |     \- dk.brics.automaton:automaton:jar:1.11-8:compile
[INFO] |  +- org.apache.commons:commons-compress:jar:1.21:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.jboss.spec.javax.xml.bind:jboss-jaxb-api_2.3_spec:jar:2.0.0.Final:compile
[INFO] |  \- io.smallrye.config:smallrye-config-source-yaml:jar:2.7.0:compile
[INFO] |     +- org.yaml:snakeyaml:jar:1.29:compile
[INFO] |     +- io.smallrye.config:smallrye-config-common:jar:2.7.0:compile
[INFO] |     |  +- org.eclipse.microprofile.config:microprofile-config-api:jar:2.0:compile
[INFO] |     |  \- io.smallrye.common:smallrye-common-classloader:jar:1.8.0:compile
[INFO] |     +- io.smallrye.config:smallrye-config:jar:2.7.0:compile
[INFO] |     |  \- io.smallrye.config:smallrye-config-core:jar:2.7.0:compile
[INFO] |     |     +- io.smallrye.common:smallrye-common-annotation:jar:1.8.0:compile
[INFO] |     |     \- io.smallrye.common:smallrye-common-expression:jar:1.8.0:compile
[INFO] |     |        \- io.smallrye.common:smallrye-common-function:jar:1.8.0:compile
[INFO] |     \- io.smallrye.common:smallrye-common-constraint:jar:1.8.0:compile
[INFO] +- io.fabric8:kubernetes-server-mock:jar:5.10.1:compile
[INFO] |  +- io.fabric8:mockwebserver:jar:0.2.2:compile
[INFO] |  |  \- com.squareup.okhttp3:mockwebserver:jar:3.12.12:compile
[INFO] |  |     \- junit:junit:jar:4.12:compile
[INFO] |  |        \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] |  \- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:compile
[INFO] |     +- org.opentest4j:opentest4j:jar:1.2.0:compile
[INFO] |     +- org.junit.platform:junit-platform-commons:jar:1.8.2:compile
[INFO] |     \- org.apiguardian:apiguardian-api:jar:1.1.2:compile
[INFO] +- io.quarkus:quarkus-test-common:jar:2.6.1.Final:compile
[INFO] |  +- io.quarkus:quarkus-core-deployment:jar:2.6.1.Final:compile
[INFO] |  |  +- org.aesh:readline:jar:2.1:compile
[INFO] |  |  |  \- org.fusesource.jansi:jansi:jar:1.18:compile
[INFO] |  |  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] |  |  +- org.wildfly.common:wildfly-common:jar:1.5.4.Final-format-001:compile
[INFO] |  |  +- io.quarkus.gizmo:gizmo:jar:1.0.10.Final:compile
[INFO] |  |  |  \- org.ow2.asm:asm-util:jar:9.2:compile
[INFO] |  |  +- org.ow2.asm:asm:jar:9.2:compile
[INFO] |  |  +- org.ow2.asm:asm-commons:jar:9.2:compile
[INFO] |  |  |  +- org.ow2.asm:asm-tree:jar:9.2:compile
[INFO] |  |  |  \- org.ow2.asm:asm-analysis:jar:9.2:compile
[INFO] |  |  +- io.quarkus:quarkus-development-mode-spi:jar:2.6.1.Final:compile
[INFO] |  |  +- io.quarkus:quarkus-class-change-agent:jar:2.6.1.Final:compile
[INFO] |  |  +- io.quarkus:quarkus-devtools-utilities:jar:2.6.1.Final:compile
[INFO] |  |  +- io.quarkus:quarkus-builder:jar:2.6.1.Final:compile
[INFO] |  |  +- org.graalvm.sdk:graal-sdk:jar:21.3.0:compile
[INFO] |  |  \- org.junit.platform:junit-platform-launcher:jar:1.8.2:compile
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:compile
[INFO] |  +- io.quarkus:quarkus-jsonp-deployment:jar:2.6.1.Final:compile
[INFO] |  |  \- io.quarkus:quarkus-jsonp:jar:2.6.1.Final:compile
[INFO] |  |     \- org.glassfish:jakarta.json:jar:1.1.6:compile
[INFO] |  +- org.jboss:jandex:jar:2.4.1.Final:compile
[INFO] |  \- org.jboss.logging:commons-logging-jboss-logging:jar:1.0.0.Final:compile
[INFO] |     \- org.jboss.logging:jboss-logging:jar:3.4.2.Final:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] \- io.quarkus:quarkus-junit5:jar:2.6.1.Final:compile
[INFO]    +- io.quarkus:quarkus-bootstrap-core:jar:2.6.1.Final:compile
[INFO]    |  +- io.quarkus:quarkus-bootstrap-app-model:jar:2.6.1.Final:compile
[INFO]    |  +- io.quarkus:quarkus-bootstrap-maven-resolver:jar:2.6.1.Final:compile
[INFO]    |  |  +- org.apache.maven:maven-embedder:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven:maven-settings:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven:maven-core:jar:3.8.4:compile
[INFO]    |  |  |  |  +- org.apache.maven:maven-artifact:jar:3.8.4:compile
[INFO]    |  |  |  |  \- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:compile
[INFO]    |  |  |  +- org.apache.maven:maven-plugin-api:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven:maven-model:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven:maven-model-builder:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven:maven-builder-support:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven.resolver:maven-resolver-api:jar:1.6.3:compile
[INFO]    |  |  |  +- org.apache.maven.resolver:maven-resolver-util:jar:1.6.3:compile
[INFO]    |  |  |  +- org.apache.maven.shared:maven-shared-utils:jar:3.3.4:compile
[INFO]    |  |  |  |  \- commons-io:commons-io:jar:2.11.0:compile
[INFO]    |  |  |  +- com.google.inject:guice:jar:no_aop:4.2.2:compile
[INFO]    |  |  |  |  \- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO]    |  |  |  |     +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO]    |  |  |  |     \- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO]    |  |  |  +- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[INFO]    |  |  |  +- org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:compile
[INFO]    |  |  |  +- org.codehaus.plexus:plexus-cipher:jar:2.0:compile
[INFO]    |  |  |  \- commons-cli:commons-cli:jar:1.4:compile
[INFO]    |  |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.5:compile
[INFO]    |  |  +- org.apache.maven:maven-settings-builder:jar:3.8.4:compile
[INFO]    |  |  |  \- org.codehaus.plexus:plexus-interpolation:jar:1.26:compile
[INFO]    |  |  +- org.apache.maven:maven-resolver-provider:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven:maven-repository-metadata:jar:3.8.4:compile
[INFO]    |  |  |  +- org.apache.maven.resolver:maven-resolver-spi:jar:1.6.3:compile
[INFO]    |  |  |  +- org.apache.maven.resolver:maven-resolver-impl:jar:1.6.3:compile
[INFO]    |  |  |  \- org.codehaus.plexus:plexus-utils:jar:3.3.0:compile
[INFO]    |  |  +- org.apache.maven.resolver:maven-resolver-connector-basic:jar:1.6.3:compile
[INFO]    |  |  +- org.apache.maven.resolver:maven-resolver-transport-wagon:jar:1.6.3:compile
[INFO]    |  |  +- org.apache.maven.wagon:wagon-http:jar:3.4.3:compile
[INFO]    |  |  |  +- org.apache.maven.wagon:wagon-http-shared:jar:3.4.3:compile
[INFO]    |  |  |  |  \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO]    |  |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO]    |  |  |  |  \- commons-codec:commons-codec:jar:1.15:compile
[INFO]    |  |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO]    |  |  |  \- org.apache.maven.wagon:wagon-provider-api:jar:3.4.3:compile
[INFO]    |  |  \- org.apache.maven.wagon:wagon-file:jar:3.4.3:compile
[INFO]    |  +- io.quarkus:quarkus-bootstrap-gradle-resolver:jar:2.6.1.Final:compile
[INFO]    |  +- io.quarkus:quarkus-fs-util:jar:0.0.3:compile
[INFO]    |  \- io.smallrye.common:smallrye-common-io:jar:1.8.0:compile
[INFO]    +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.5:runtime
[INFO]    +- io.quarkus:quarkus-junit5-properties:jar:2.6.1.Final:compile
[INFO]    +- org.junit.jupiter:junit-jupiter:jar:5.8.2:compile
[INFO]    |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:compile
[INFO]    |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:runtime
[INFO]    +- io.quarkus:quarkus-core:jar:2.6.1.Final:compile
[INFO]    |  +- jakarta.enterprise:jakarta.enterprise.cdi-api:jar:2.0.2:compile
[INFO]    |  |  +- jakarta.el:jakarta.el-api:jar:3.0.3:compile
[INFO]    |  |  \- jakarta.interceptor:jakarta.interceptor-api:jar:1.2.5:compile
[INFO]    |  +- jakarta.inject:jakarta.inject-api:jar:1.0:compile
[INFO]    |  +- io.quarkus:quarkus-ide-launcher:jar:2.6.1.Final:compile
[INFO]    |  +- org.jboss.logmanager:jboss-logmanager-embedded:jar:1.0.9:compile
[INFO]    |  +- org.jboss.logging:jboss-logging-annotations:jar:2.2.1.Final:compile
[INFO]    |  +- org.jboss.threads:jboss-threads:jar:3.4.2.Final:compile
[INFO]    |  +- org.jboss.slf4j:slf4j-jboss-logmanager:jar:1.1.0.Final:compile
[INFO]    |  \- io.quarkus:quarkus-bootstrap-runner:jar:2.6.1.Final:compile
[INFO]    \- com.thoughtworks.xstream:xstream:jar:1.4.18:compile
[INFO]       \- io.github.x-stream:mxparser:jar:1.2.2:compile
[INFO]          \- xmlpull:xmlpull:jar:1.1.3.1:compile

Suggested solutions:

Update dependency version

Thank you very much.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@app-services-ci @CVEDetect