Le 07/02/2018 à 16:43, Chun Ling Li a écrit :
I saw a dependency xstream-1.3.1.jar in lsc-core-2.1.4.tar. But
xstream-1.3.1 has vulnerabilities.
*_CVE-2016-3674_*
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674>
Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Multiple XML external entity (XXE) vulnerabilities in the (1)
Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5)
SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in
XStream before 1.4.9 allow remote attackers to read arbitrary files
via a crafted XML document.
In LSC 2.1.4, I didn't see any codes using xstream. LSC used Jaxb to
convert xml to objects in JaxbXmlConfigurationHelper. Why lsc still
need xstream as dependency? Is it safe to remove it?
I don't know if Xstream is still used in LSC. But as LSC is only reading
XML configuration files made by system administrators, I think the
vulnerability is quite limited.
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
