Hi,
Currently, we are using Spring Cloud Hoxton.SR2 and our application has a dependency on the library spring-cloud-starter-netflix-eureka-client. Apparently, this library depends on a library, xstream.jar, which has couple of vulnerabilities. Unfortunately, even if we upgrade to latest version of Spring Cloud, it still includes a version of xstream that has these vulnerabilities.
However, with the way xstream is used by Spring Cloud, we really want to know if there is a vulnerability or not from your perspective. Advisories from Xstream shown below indicate what could cause these vulnerabilities. It would help if Spring Cloud can confirm this for us so that we can continue to use spring-cloud-starter-netflix-eureka-client as-is if this is not a concern
Advisory from Xstream:
https://x-stream.github.io/CVE-2020-26259.html
https://x-stream.github.io/CVE-2020-26217.html
Hi,
Currently, we are using Spring Cloud Hoxton.SR2 and our application has a dependency on the library spring-cloud-starter-netflix-eureka-client. Apparently, this library depends on a library, xstream.jar, which has couple of vulnerabilities. Unfortunately, even if we upgrade to latest version of Spring Cloud, it still includes a version of xstream that has these vulnerabilities.
However, with the way xstream is used by Spring Cloud, we really want to know if there is a vulnerability or not from your perspective. Advisories from Xstream shown below indicate what could cause these vulnerabilities. It would help if Spring Cloud can confirm this for us so that we can continue to use spring-cloud-starter-netflix-eureka-client as-is if this is not a concern
Advisory from Xstream:
https://x-stream.github.io/CVE-2020-26259.html
https://x-stream.github.io/CVE-2020-26217.html