Details

    Description

      Problem

      XStream is vulnerable to security exploits including CVE-2021-29505. This ticket tracks it's upgrade to 1.4.17 

      Atlassian Update - July 2021

      We have upgraded XStream to 1.4.17.  If your plugin bundles your own version of XStream you will also need to upgrade to this version or later. This is because XStream 1.4.16 provides a newer implementation of XmlPullParser through service loader. XStream's default parser has changed from Xpp3 to MXParser, which is a fork of Xpp3.  You can read more about the changes in the XStream change log.

      When upgrading XStream in our own plugins, we found that it remained compatible with older Confluence versions, as there's a dependency of xpp3_min which helps the plugin to work with older XmlPullParser implementations mentioned in service loader in older Confluence versions.

      Environment

      Confluence v7.4

      Workaround

      There are no workaround available for this up til now.

      Attachments

        Issue Links

          Activity

            People

              ggautam Ganesh Gautam
              haftab Hassan Aftab
              Votes:
              5 Vote for this issue
              Watchers:
              28 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: