Details
-
Bug
-
Resolution: Fixed
-
Medium
-
7.4.4
-
3
-
Severity 2 - Major
-
26
-
Description
Problem
XStream is vulnerable to security exploits including CVE-2021-29505. This ticket tracks it's upgrade to 1.4.17
We have upgraded XStream to 1.4.17. If your plugin bundles your own version of XStream you will also need to upgrade to this version or later. This is because XStream 1.4.16 provides a newer implementation of XmlPullParser through service loader. XStream's default parser has changed from Xpp3 to MXParser, which is a fork of Xpp3. You can read more about the changes in the XStream change log.
When upgrading XStream in our own plugins, we found that it remained compatible with older Confluence versions, as there's a dependency of xpp3_min which helps the plugin to work with older XmlPullParser implementations mentioned in service loader in older Confluence versions.
Environment
Confluence v7.4
Workaround
There are no workaround available for this up til now.
Attachments
Issue Links
- links to