I have a spring boot application. When I add this plugin
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
in the Build section, I am getting these vulnerabilities.
| CVE-2021-21345 | critical | 9.90 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
------------------ ----------- ------ --------------------------------------------- ---------------------- ---------------------------------------------- ------------- ------------ ----------------------------------------------------
| CVE-2021-21350 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
------------------ ----------- ------ --------------------------------------------- ---------------------- ---------------------------------------------- ------------- ------------ ----------------------------------------------------
| CVE-2021-21347 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
------------------ ----------- ------ --------------------------------------------- ---------------------- ---------------------------------------------- ------------- ------------ ----------------------------------------------------
| CVE-2021-21346 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
------------------ ----------- ------ --------------------------------------------- ---------------------- ---------------------------------------------- ------------- ------------ ----------------------------------------------------
| CVE-2021-21344 | critical | 9.80 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability which may allow a |
| | | | | | | | | rem... |
------------------ ----------- ------ --------------------------------------------- ---------------------- ---------------------------------------------- ------------- ------------ ----------------------------------------------------
| CVE-2021-21351 | critical | 9.10 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability may allow a |
| | | | | | | | | remote at... |
------------------ ----------- ------ --------------------------------------------- ---------------------- ---------------------------------------------- ------------- ------------ ----------------------------------------------------
| CVE-2021-21342 | critical | 9.10 | com.thoughtworks.xstream_xstream | 1.4.7 | fixed in 1.4.16 | > 1 years | < 1 hour | XStream is a Java library to serialize objects |
| | | | | | > 1 years ago | | | to XML and back again. In XStream before version |
| | | | | | | | | 1.4.16, there is a vulnerability where the |
| | | | | | | | | processed s...
I also tried to add this in the dependencies section but still, it is giving the same.
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.18</version>
</dependency>
What should I change in my POM.xml to remove these Vulnerabilities?
CodePudding user response:
You can check maven documentation for any known vulnerabilities associated with any nested dependency : https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-maven-plugin
seems that you are using specific old version of the plugin which has those vulnerabilities, try to update to the latest one.