The XStream library has reported CVE-2024-47072, a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.
Let's backport the change from PR-9954 to the stable-2.479 line so that it can be part of Jenkins 2.479.2
Originally reported by 
markewaite, imported from: Backport the xstream 1.4.21 upgrade to Jenkins 2.479.2
- status: Closed
- priority: Minor
- component(s): core
- label(s): 2.479.2-fixed
- resolution: Fixed
- resolved: 2024-11-09T16:35:39+00:00
- votes: 0
- watchers: 1
- imported: 2025-11-24
Raw content of original issue
The XStream library has reported CVE-2024-47072, a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.
Let's backport the change from PR-9954 to the stable-2.479 line so that it can be part of Jenkins 2.479.2
The XStream library has reported CVE-2024-47072, a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.
Let's backport the change from PR-9954 to the stable-2.479 line so that it can be part of Jenkins 2.479.2
Originally reported by
markewaite, imported from: Backport the xstream 1.4.21 upgrade to Jenkins 2.479.2
Raw content of original issue