Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-69322

XStream upgrade to 1.4.18

XMLWordPrintable

      Problem

      XStream is vulnerable to security exploits such as highlighted in the image attached.
      The list of CVEs can be found in https://x-stream.github.io/security.html

      This ticket tracks its upgrade to 1.4.18.

      Environment

      Confluence v7.13

      Workaround

      Set xstream.allowlist.enable sysprop to true. This is equivalent to XStream 1.4.18 behaviour and it exist in Confluence 7.10 and up. But it comes with a risk of broken third-party plugins which have not yet configured xstream-security module with their classes. Confirm with Third-party plugin vendors before toggling it if your Confluence instance uses a third-party plugin and it relies on XStream.

        1. 1.4.18 vulnerabilities.png
          1.4.18 vulnerabilities.png
          326 kB

              b671dbb3cc53 Navaz Sayyed (Inactive)
              2e857505f334 Pascal Oberle
              Votes:
              24 Vote for this issue
              Watchers:
              27 Start watching this issue

                Created:
                Updated:
                Resolved: