Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.18.0
Affects Version/s: 7.10.0, 7.13.0
Component/s: Security
Labels:

Support reference count:
17
Symptom Severity:
Severity 2 - Major
UIS:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Problem

XStream is vulnerable to security exploits such as highlighted in the image attached.
The list of CVEs can be found in https://x-stream.github.io/security.html

This ticket tracks its upgrade to 1.4.18.

Environment

Confluence v7.13

Workaround

Set xstream.allowlist.enable sysprop to true. This is equivalent to XStream 1.4.18 behaviour and it exist in Confluence 7.10 and up. But it comes with a risk of broken third-party plugins which have not yet configured xstream-security module with their classes. Confirm with Third-party plugin vendors before toggling it if your Confluence instance uses a third-party plugin and it relies on XStream.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

1.4.18 vulnerabilities.png
326 kB
10/Sep/2021 4:34 AM

Issue Links

links to

Original (master branch) ticket on AsecJ > VULN

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(23 mentioned in)

Activity

People

Assignee:: Navaz Sayyed (Inactive)

Reporter:: Pascal Oberle

Votes:: 24 Vote for this issue

Watchers:: 27 Start watching this issue

Dates

Due:: 15/Mar/2022

Created:: 10/Sep/2021 4:35 AM

Updated:: 03/Aug/2022 4:33 AM

Resolved:: 30/May/2022 12:59 AM