I saw a dependency xstream-1.3.1.jar in lsc tar. xstream-1.3.1 has vulnerabilities.
Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
But I didn't see where lsc used it. LSC used Jaxb to convert xml to objects in JaxbXmlConfigurationHelper. Why lsc still need xstream as dependency? Is it safe to remove it?
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list [email protected] https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
