[英]How to remove com.thoughtworks.xstream_xstream critical Vulnerabilities?
我有一个 spring 启动应用程序。 当我添加这个插件
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
在构建部分,我得到了这些漏洞。
| CVE-2021-21345 | critical | 9.90 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
+------------------+-----------+------+---------------------------------------------+----------------------+----------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-21350 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
+------------------+-----------+------+---------------------------------------------+----------------------+----------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-21347 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
+------------------+-----------+------+---------------------------------------------+----------------------+----------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-21346 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
+------------------+-----------+------+---------------------------------------------+----------------------+----------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-21344 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
+------------------+-----------+------+---------------------------------------------+----------------------+----------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-21351 | critical | 9.10 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability may allow a |
| | | | | | | | | remote at... |
+------------------+-----------+------+---------------------------------------------+----------------------+----------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-21342 | critical | 9.10 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability where the |
| | | | | | | | | processed s...
我也尝试在依赖项部分添加它,但仍然给出相同的结果。
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.18</version>
</dependency>
我应该在我的 POM.xml 中更改什么来删除这些漏洞?
您可以查看 maven 文档以了解与任何嵌套依赖项相关的任何已知漏洞: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-maven-plugin
似乎您正在使用具有这些漏洞的特定旧版本插件,请尝试更新到最新版本。
XStream-com.thoughtworks.xstream.converters.ConversionException
[英]XStream - com.thoughtworks.xstream.converters.ConversionException
com.thoughtworks.xstream.converters.ConversionException
[英]com.thoughtworks.xstream.converters.ConversionException
com.thoughtworks.xstream.mapper.CannotResolveClassException
[英]com.thoughtworks.xstream.mapper.CannotResolveClassException
Xtream com.thoughtworks.xstream.mapper.CannotResolveClassException
[英]Xtream com.thoughtworks.xstream.mapper.CannotResolveClassException
com.thoughtworks.xstream.security.ForbiddenClassException
[英]com.thoughtworks.xstream.security.ForbiddenClassException
com.thoughtworks.xstream.mapper.CannotResolveClassException
[英]com.thoughtworks.xstream.mapper.CannotResolveClassException
如何避免com.thoughtworks.xstream.io.StreamException:在进行deseriliazation时无法创建XmlPullParser?
[英]How to avoid com.thoughtworks.xstream.io.StreamException: Cannot create XmlPullParser while deseriliazation?
转换错误 com.thoughtworks.xstream.converters.ConversionException
[英]Conversion error com.thoughtworks.xstream.converters.ConversionException
包com.thoughtworks.xstream.annotations不存在
[英]package com.thoughtworks.xstream.annotations does not exist
引起:com.thoughtworks.xstream.security.ForbiddenClassException: - Spring Batch
[英]Caused by: com.thoughtworks.xstream.security.ForbiddenClassException: - Spring Batch
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.