spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar: 79 vulnerabilities (highest severity is: 9.8) reachable #11
Description
Vulnerable Library - spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (spring-cloud-starter-netflix-eureka-client version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2019-10173 |  Critical |
9.8 | Not Defined | 92.6% | xstream-1.4.10.jar | Transitive | N/A* | ❌ |
|
| CVE-2013-7285 | Critical |
9.8 | Not Defined | 15.099999% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2019-20445 | Critical |
9.1 | Not Defined | 10.0% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2019-20444 | Critical |
9.1 | Not Defined | 8.299999% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2021-39154 |  High |
8.5 | Not Defined | 4.3% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39153 | High |
8.5 | Not Defined | 4.3% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39152 | High |
8.5 | Not Defined | 16.699999% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39151 | High |
8.5 | Not Defined | 4.3% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39149 | High |
8.5 | Not Defined | 4.3% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39148 | High |
8.5 | Not Defined | 4.3% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39147 | High |
8.5 | Not Defined | 4.3% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39146 | High |
8.5 | Not Defined | 23.0% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39145 | High |
8.5 | Not Defined | 4.5% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39144 | High |
8.5 | High | 93.6% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2022-41966 | High |
8.2 | Not Defined | 46.7% | xstream-1.4.10.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2020-26217 | High |
8.0 | Not Defined | 93.5% | xstream-1.4.10.jar | Transitive | 3.0.1 | ✅ |
|
| WS-2021-0419 | High |
7.7 | Not Defined | gson-2.8.0.jar | Transitive | N/A* | ❌ |
|
|
| CVE-2022-25647 | High |
7.7 | Not Defined | 1.4000001% | gson-2.8.0.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-58057 | High |
7.5 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 3.0.0 | ✅ |
|
| CVE-2025-58056 | High |
7.5 | Not Defined | 0.1% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2024-47072 | High |
7.5 | Not Defined | 0.70000005% | xstream-1.4.10.jar | Transitive | 4.1.6 | ✅ |
|
| CVE-2024-30172 | High |
7.5 | Not Defined | 0.3% | bcprov-jdk15on-1.55.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-29857 | High |
7.5 | Not Defined | 0.4% | bcprov-jdk15on-1.55.jar | Transitive | N/A* | ❌ |
|
| CVE-2022-45693 | High |
7.5 | Not Defined | 1.2% | jettison-1.3.7.jar | Transitive | 4.1.1 | ✅ |
|
| CVE-2022-45685 | High |
7.5 | Not Defined | 1.2% | jettison-1.3.7.jar | Transitive | 4.1.1 | ✅ |
|
| CVE-2021-43859 | High |
7.5 | Not Defined | 14.1% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-37136 | High |
7.5 | Not Defined | 2.8000002% | netty-codec-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2021-29505 | High |
7.5 | Not Defined | 77.700005% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-21341 | High |
7.5 | Not Defined | 74.7% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2020-7238 | High |
7.5 | Not Defined | 3.3% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2019-17359 | High |
7.5 | Not Defined | 22.400002% | bcprov-jdk15on-1.55.jar | Transitive | 2.1.5.RELEASE | ✅ |
|
| CVE-2019-16869 | High |
7.5 | Not Defined | 8.1% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2016-4970 | High |
7.5 | Not Defined | 8.2% | netty-handler-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2016-1000340 | High |
7.5 | Not Defined | 0.4% | bcprov-jdk15on-1.55.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2015-2156 | High |
7.5 | Not Defined | 0.9% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| WS-2020-0408 | High |
7.4 | Not Defined | netty-handler-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
|
| CVE-2020-26259 |  Medium |
6.8 | Not Defined | 89.4% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2023-34462 | Medium |
6.5 | Not Defined | 0.8% | netty-handler-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2022-40151 | Medium |
6.5 | Not Defined | 0.3% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2022-40150 | Medium |
6.5 | Not Defined | 1.3000001% | jettison-1.3.7.jar | Transitive | 4.1.1 | ✅ |
|
| CVE-2022-40149 | Medium |
6.5 | Not Defined | 1.3000001% | jettison-1.3.7.jar | Transitive | 4.1.1 | ✅ |
|
| CVE-2021-43797 | Medium |
6.5 | Not Defined | 1.2% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2021-39140 | Medium |
6.5 | Not Defined | 1.6% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2020-26258 | Medium |
6.3 | Not Defined | 88.4% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-21349 | Medium |
6.1 | Not Defined | 12.0% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2021-21347 | Medium |
6.1 | Not Defined | 30.199999% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2021-21346 | Medium |
6.1 | Not Defined | 30.199999% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2023-1436 | Medium |
5.9 | Not Defined | 0.3% | jettison-1.3.7.jar | Transitive | 4.1.1 | ✅ |
|
| CVE-2021-21295 | Medium |
5.9 | Not Defined | 27.8% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2020-15522 | Medium |
5.9 | Not Defined | 0.2% | bcprov-jdk15on-1.55.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2016-1000341 | Medium |
5.9 | Not Defined | 0.8% | bcprov-jdk15on-1.55.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2021-21345 | Medium |
5.8 | Not Defined | 68.2% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2025-25193 | Medium |
5.5 | Not Defined | 0.1% | netty-common-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2024-47535 | Medium |
5.5 | Not Defined | 0.1% | netty-common-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2023-33202 | Medium |
5.5 | Not Defined | 0.1% | bcprov-jdk15on-1.55.jar | Transitive | N/A* | ❌ |
|
| CVE-2022-24823 | Medium |
5.5 | Not Defined | 0.1% | netty-common-4.0.27.Final.jar | Transitive | N/A* | ❌ |
|
| CVE-2021-21351 | Medium |
5.4 | Not Defined | 90.3% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2022-22976 | Medium |
5.3 | Not Defined | 0.8% | spring-security-crypto-4.2.1.RELEASE.jar | Transitive | 4.1.0 | ✅ |
|
| CVE-2021-21350 | Medium |
5.3 | Not Defined | 30.1% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2021-21348 | Medium |
5.3 | Not Defined | 14.300001% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2021-21344 | Medium |
5.3 | Not Defined | 60.399998% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2021-21343 | Medium |
5.3 | Not Defined | 3.3% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2021-21342 | Medium |
5.3 | Not Defined | 1.1% | xstream-1.4.10.jar | Transitive | 3.0.3 | ✅ |
|
| CVE-2024-38827 | Medium |
4.8 | Not Defined | 0.2% | spring-security-crypto-4.2.1.RELEASE.jar | Transitive | 4.1.0 | ✅ |
|
| CVE-2021-39150 | High |
8.5 | Not Defined | 5.6000004% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39141 | High |
8.5 | Not Defined | 62.9% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-39139 | High |
8.5 | Not Defined | 8.2% | xstream-1.4.10.jar | Transitive | 1.4.1.RELEASE | ✅ |
|
| CVE-2021-37137 | High |
7.5 | Not Defined | 2.8000002% | netty-codec-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2018-1000180 | High |
7.5 | Not Defined | 0.5% | bcprov-jdk15on-1.55.jar | Transitive | 2.0.2.RELEASE | ✅ |
|
| CVE-2016-1000338 | High |
7.5 | Not Defined | 0.4% | bcprov-jdk15on-1.55.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2025-22228 | High |
7.4 | Not Defined | 0.1% | spring-security-crypto-4.2.1.RELEASE.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-46392 | Medium |
6.5 | Not Defined | 0.3% | commons-configuration-1.8.jar | Transitive | N/A* | ❌ |
|
| CVE-2020-5408 | Medium |
6.5 | Not Defined | 0.3% | spring-security-crypto-4.2.1.RELEASE.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2021-21290 | Medium |
6.2 | Not Defined | 0.1% | detected in multiple dependencies | Transitive | 3.0.0 | ✅ |
|
| CVE-2024-30171 | Medium |
5.9 | Not Defined | 0.3% | bcprov-jdk15on-1.55.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-29025 | Medium |
5.3 | Not Defined | 1.0% | netty-codec-http-4.0.27.Final.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2023-33201 | Medium |
5.3 | Not Defined | 0.2% | bcprov-jdk15on-1.55.jar | Transitive | N/A* | ❌ |
|
| CVE-2021-22113 | Medium |
5.3 | Not Defined | 0.2% | spring-cloud-netflix-core-1.2.0.RELEASE.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-26939 | Medium |
5.3 | Not Defined | 0.1% | bcprov-jdk15on-1.55.jar | Transitive | 2.1.5.RELEASE | ✅ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (10 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2019-10173
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.core.Caching (Application)
-> com.thoughtworks.xstream.mapper.OuterClassMapper (Extension)
-> com.thoughtworks.xstream.XStream (Extension)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
Publish Date: 2019-07-23
URL: CVE-2019-10173
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 92.6%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hf23-9pf7-388p
Release Date: 2019-07-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.11
CVE-2013-7285
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.XStream$3 (Application)
-> com.thoughtworks.xstream.XStream (Extension)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Publish Date: 2019-05-15
URL: CVE-2013-7285
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 15.099999%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
Release Date: 2019-05-15
Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.10-java7
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-20445
Vulnerable Library - netty-codec-http-4.0.27.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.0.27.Final/netty-codec-http-4.0.27.Final.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar
- ribbon-2.2.0.jar
- ribbon-transport-2.2.0.jar
- rxnetty-0.4.9.jar
- ❌ netty-codec-http-4.0.27.Final.jar (Vulnerable Library)
- rxnetty-0.4.9.jar
- ribbon-transport-2.2.0.jar
- ribbon-2.2.0.jar
- spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
io.netty.handler.codec.http.HttpObjectDecoder (Application)
-> io.netty.handler.codec.http.HttpObjectDecoder$LineParser (Extension)
-> io.netty.handler.codec.http.HttpClientCodec$Decoder (Extension)
-> io.netty.handler.codec.http.HttpClientCodec (Extension)
...
-> org.springframework.http.client.Netty4ClientHttpRequestFactory (Extension)
-> org.springframework.web.client.RestTemplate (Extension)
-> ❌ org.joychou.impl.HttpServiceImpl (Vulnerable Component)
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 10.0%
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-20444
Vulnerable Library - netty-codec-http-4.0.27.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.0.27.Final/netty-codec-http-4.0.27.Final.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar
- ribbon-2.2.0.jar
- ribbon-transport-2.2.0.jar
- rxnetty-0.4.9.jar
- ❌ netty-codec-http-4.0.27.Final.jar (Vulnerable Library)
- rxnetty-0.4.9.jar
- ribbon-transport-2.2.0.jar
- ribbon-2.2.0.jar
- spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
io.netty.handler.codec.http.HttpObjectDecoder (Application)
-> io.netty.handler.codec.http.HttpObjectDecoder$LineParser (Extension)
-> io.netty.handler.codec.http.HttpClientCodec$Decoder (Extension)
-> io.netty.handler.codec.http.HttpClientCodec (Extension)
...
-> org.springframework.http.client.Netty4ClientHttpRequestFactory (Extension)
-> org.springframework.web.client.RestTemplate (Extension)
-> ❌ org.joychou.impl.HttpServiceImpl (Vulnerable Component)
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 8.299999%
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-39154
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.XStream (Application)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39154
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.3%
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6w62-hx7r-mw68
Release Date: 2021-08-23
Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-39153
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.XStream (Application)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39153
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.3%
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
Release Date: 2021-08-23
Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-39152
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.XStream (Application)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the "Security Framework" (https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2021-08-23
URL: CVE-2021-39152
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 16.699999%
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xw4p-crpj-vjx2
Release Date: 2021-08-23
Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-39151
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.XStream (Application)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39151
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.3%
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hph2-m3g5-xxv4
Release Date: 2021-08-23
Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-39149
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.XStream (Application)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39149
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.3%
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ccq-5vw3-2p6x
Release Date: 2021-08-23
Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-39148
Vulnerable Library - xstream-1.4.10.jar
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
Dependency Hierarchy:
- spring-cloud-starter-netflix-eureka-client-1.4.0.RELEASE.jar (Root Library)
- eureka-client-1.4.11.jar
- ❌ xstream-1.4.10.jar (Vulnerable Library)
- eureka-client-1.4.11.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
com.thoughtworks.xstream.XStream (Application)
-> ❌ org.joychou.controller.XStreamRce (Vulnerable Component)
Vulnerability Details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39148
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.3%
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-qrx8-8545-4wg2
Release Date: 2021-08-23
Fix Resolution (com.thoughtworks.xstream:xstream): 1.4.18
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-netflix-eureka-client): 1.4.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.