-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Xstream deserialization vulnerability exists #1421
Comments
Can I submit this vulnerability to Bugcrowd and apply for CVE? |
Do you mean apply for a CVE in Eureka due to its dependency on a library which is known to have the actual CVE itself? I have not seen this commonly done tbh, otherwise pretty much all software will transitively be vulnerable at some version via some direct/indirect dependency. |
Thank you very much for your advice, but eureka does have this security vulnerability, can I submit this vulnerability on Bugcrowd? |
There are two things here, one is Bugcrowd usage in general:
Second is regarding CVEs for outdated libs being used:
Thanks again and we hope to see your future submissions on Bugcrowd. |
XStream all versions until and including version 1.4.17 are affected, if using the version out of the box. The latest version of Eureka-client uses XStream 1.4.17. This version has CVE-2021-39141 vulnerability. Please fix it immediately!
https://x-stream.github.io/CVE-2021-39141.html
https://github.com/Netflix/eureka/blob/master/eureka-client/src/main/java/com/netflix/discovery/converters/EntityBodyConverter.java
https://github.com/Netflix/eureka/blob/master/eureka-client/build.gradle
The text was updated successfully, but these errors were encountered: