Skip to content

[Snyk] Security upgrade com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21#32

Open
gazarianucleussec wants to merge 1 commit into
developfrom
snyk-fix-c4afc38287991ca9c4327cf7f9050edb
Open

[Snyk] Security upgrade com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21#32
gazarianucleussec wants to merge 1 commit into
developfrom
snyk-fix-c4afc38287991ca9c4327cf7f9050edb

Conversation

@gazarianucleussec
Copy link
Copy Markdown
Owner

@gazarianucleussec gazarianucleussec commented Nov 9, 2024

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • webgoat-lessons/vulnerable-components/pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924		   828   com.thoughtworks.xstream:xstream:
1.4.5 -> 1.4.21
Proof of Concept

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Deserialization of Untrusted Data

@gazarianucleussec
Copy link
Copy Markdown
Owner Author

gazarianucleussec commented Nov 9, 2024

Logo
Checkmarx One – Scan Summary & Details617f6b51-2742-4566-aec4-6abd99c23bc2

New Issues

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2024-38821 Maven-org.springframework.security:spring-security-web-5.4.1 Vulnerable Package
HIGH CVE-2023-1973 Maven-io.undertow:undertow-servlet-2.2.2.Final Vulnerable Package
HIGH CVE-2023-1973 Maven-io.undertow:undertow-core-2.2.2.Final Vulnerable Package
HIGH CVE-2023-3223 Maven-io.undertow:undertow-core-2.2.2.Final Vulnerable Package
HIGH CVE-2024-1635 Maven-io.undertow:undertow-core-2.2.2.Final Vulnerable Package
HIGH CVE-2024-38809 Maven-org.springframework:spring-web-5.3.1 Vulnerable Package
HIGH CVE-2024-38816 Maven-org.springframework:spring-webmvc-5.3.1 Vulnerable Package
HIGH CVE-2024-47554 Maven-commons-io:commons-io-2.6 Vulnerable Package
HIGH CVE-2024-7885 Maven-io.undertow:undertow-core-2.2.2.Final Vulnerable Package
HIGH Reflected_XSS_All_Clients /webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java: 132 Attack Vector
HIGH Reflected_XSS_All_Clients /webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java: 132 Attack Vector
MEDIUM CVE-2024-38808 Maven-org.springframework:spring-expression-5.3.1 Vulnerable Package
MEDIUM CVE-2024-38820 Maven-org.springframework:spring-context-5.3.1 Vulnerable Package
MEDIUM CVE-2024-38820 Maven-org.springframework:spring-webmvc-5.3.1 Vulnerable Package
MEDIUM CVE-2024-38820 Maven-org.springframework:spring-web-5.3.1 Vulnerable Package
MEDIUM CVE-2024-38820 Maven-org.springframework:spring-core-5.3.1 Vulnerable Package
MEDIUM CVE-2024-43799 Npm-send-0.16.2 Vulnerable Package
MEDIUM CVE-2024-43800 Npm-serve-static-1.13.2 Vulnerable Package
MEDIUM CVE-2024-47764 Npm-cookie-0.3.1 Vulnerable Package
MEDIUM CVE-2024-6484 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2024-6484 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2024-6485 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2024-6485 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2024-6531 Npm-bootstrap-4.2.1 Vulnerable Package
MEDIUM CVE-2024-8184 Maven-org.eclipse.jetty:jetty-server-9.4.34.v20201102 Vulnerable Package
MEDIUM CVE-2024-9823 Maven-org.eclipse.jetty:jetty-servlets-9.4.34.v20201102 Vulnerable Package
MEDIUM Parameter_Tampering /webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java: 85 Attack Vector
MEDIUM Parameter_Tampering /webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java: 85 Attack Vector
MEDIUM Parameter_Tampering /webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java: 64 Attack Vector
MEDIUM Parameter_Tampering /webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java: 64 Attack Vector
MEDIUM Parameter_Tampering /webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java: 64 Attack Vector
LOW CVE-2024-6762 Maven-org.eclipse.jetty:jetty-servlets-9.4.34.v20201102 Vulnerable Package
LOW CVE-2024-6763 Maven-org.eclipse.jetty:jetty-http-9.4.34.v20201102 Vulnerable Package
LOW CVE-2024-6763 Maven-org.eclipse.jetty:jetty-server-9.4.34.v20201102 Vulnerable Package

Fixed Issues

Severity Issue Source File / Package
HIGH CVE-2013-7285 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2016-3674 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2017-7957 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2020-26217 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2020-26258 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21341 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21342 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21343 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21344 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21345 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21346 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21347 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21348 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21349 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21350 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-21351 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-23358 Npm-underscore-1.10.2
HIGH CVE-2021-29505 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39139 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39141 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39144 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39145 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39146 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39147 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39148 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39149 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39150 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39151 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39152 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39153 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-39154 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2021-43859 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2022-40152 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH CVE-2022-41966 Maven-com.thoughtworks.xstream:xstream-1.4.5
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
HIGH Client_DOM_Stored_XSS /webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js: 43
MEDIUM CVE-2020-26259 Maven-com.thoughtworks.xstream:xstream-1.4.5
MEDIUM CVE-2021-39140 Maven-com.thoughtworks.xstream:xstream-1.4.5
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40
LOW Log_Forging /webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java: 40

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gazarianucleussec @snyk-bot