Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Xstream deserialization vulnerability exists #1421

Closed
LvK8 opened this issue Aug 23, 2021 · 4 comments
Closed

Xstream deserialization vulnerability exists #1421

LvK8 opened this issue Aug 23, 2021 · 4 comments

Comments

@LvK8
Copy link

LvK8 commented Aug 23, 2021

XStream all versions until and including version 1.4.17 are affected, if using the version out of the box. The latest version of Eureka-client uses XStream 1.4.17. This version has CVE-2021-39141 vulnerability. Please fix it immediately!
https://x-stream.github.io/CVE-2021-39141.html
https://github.com/Netflix/eureka/blob/master/eureka-client/src/main/java/com/netflix/discovery/converters/EntityBodyConverter.java
https://github.com/Netflix/eureka/blob/master/eureka-client/build.gradle

@LvK8
Copy link
Author

LvK8 commented Aug 24, 2021

Can I submit this vulnerability to Bugcrowd and apply for CVE?

@troshko111
Copy link
Contributor

Do you mean apply for a CVE in Eureka due to its dependency on a library which is known to have the actual CVE itself? I have not seen this commonly done tbh, otherwise pretty much all software will transitively be vulnerable at some version via some direct/indirect dependency.

@LvK8
Copy link
Author

LvK8 commented Aug 24, 2021

Thank you very much for your advice, but eureka does have this security vulnerability, can I submit this vulnerability on Bugcrowd?

@troshko111
Copy link
Contributor

There are two things here, one is Bugcrowd usage in general:

  1. Typically we do accept issues for our OSS projects in Bugcrowd. Specifically for this issue it was reported prior to you sending it to us here, and we only reward the first reporter. In the future, we encourage you to send issues directly to Bugcrowd and we'll evaluate them against our program's criteria.

Second is regarding CVEs for outdated libs being used:

  1. As for CVEs we don't typically create them for out of date libraries we use like this, but depending on the vulnerability, we do create them for issues in our own code.

Thanks again and we hope to see your future submissions on Bugcrowd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants