Description
XStream has a number of documented vulnerabilities as specified in https://x-stream.github.io/security.html which are fixed in 1.4.18. Note that 1.4.18 is not backport compatible since it uses a new whitelisting approach for serialization.
TinkerPop has a dependency on XStream via: [1]
TinkerPop -> Groovy 2.5.x -> XStream 1.4.10
However, Groovy 2.5.x series does not consume the version of XStream (1.4.18) which contains the fixes for the vulnerabilities [2] but Groovy 3.x uses XStream (1.4.18) which has the fixes for vulnerabilities.
Hence, either we convince the Groovy project to backport the vulnerability fixes to 2.5.x series or we upgrade Groovy to 3.x for TinkerPop.
IMO, upgrading TP to use Groovy 3.x might be much easier.
[1] https://github.com/apache/tinkerpop/blob/master/pom.xml#L162
[2]https://github.com/apache/groovy/blob/GROOVY_2_5_X/build.gradle#L165
Attachments
Issue Links
- is related to
-
TINKERPOP-2373 Bump to Groovy 4.0
-
- Closed
-
-
-
- Closed
-