Xstream deserialization vulnerability exists

[LvK8]

XStream all versions until and including version 1.4.17 are affected, if using the version out of the box. The latest version of Eureka-client uses XStream 1.4.17. This version has CVE-2021-39141 vulnerability. Please fix it immediately!
https://x-stream.github.io/CVE-2021-39141.html
https://github.com/Netflix/eureka/blob/master/eureka-client/src/main/java/com/netflix/discovery/converters/EntityBodyConverter.java
https://github.com/Netflix/eureka/blob/master/eureka-client/build.gradle

[LvK8]

Can I submit this vulnerability to Bugcrowd and apply for CVE?

[troshko111]

Do you mean apply for a CVE in Eureka due to its dependency on a library which is known to have the actual CVE itself? I have not seen this commonly done tbh, otherwise pretty much all software will transitively be vulnerable at some version via some direct/indirect dependency.

[LvK8]

Thank you very much for your advice, but eureka does have this security vulnerability, can I submit this vulnerability on Bugcrowd?

[troshko111]

There are two things here, one is Bugcrowd usage in general:

1. Typically we do accept issues for our OSS projects in Bugcrowd. Specifically for this issue it was reported prior to you sending it to us here, and we only reward the first reporter. In the future, we encourage you to send issues directly to Bugcrowd and we'll evaluate them against our program's criteria.

Second is regarding CVEs for outdated libs being used:

2. As for CVEs we don't typically create them for out of date libraries we use like this, but depending on the vulnerability, we do create them for issues in our own code.

Thanks again and we hope to see your future submissions on Bugcrowd.