What is the trigger condition of CVE-2022-40156 CVE-2022-40153 CVE-2022-40154 CVE-2022-40155, XStream. fromXML? Is the version affected only when XStream.fromXML is called?

[BadTrasher]

[3XC1T3D]

will there be a security update?

https://avd.aquasec.com/nvd/2022/cve-2022-40153/

[tim-jacobsen-wgu]

Related to the current version, and not exactly sure where to post the comment. But wondering when aa new version may be available that addresses the 9 vulns currently affecting version 1.4.19 https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream/1.4.19

[3XC1T3D]

Any News about that CVE's and their fixes?

Best regards

[Derv0]

Also looking for an update on the Open CVEs against Xstream CVE-2022-40156 CVE-2022-40155 CVE-2022-40154 CVE-2022-40153 CVE-2022-40152 CVE-2022-40151 #304 appears to also mention these CVEs. Will that ticket cover all CVE's above?

[smarlaku820]

Jenkins uses this xstream & the grace period is also over (expired 6 days ago) for the CVE's (CVE-2022-40152, CVE-2022-40151) When we can expect the fix ?

[pjfanning]

I've come here after getting CVE warnings too. Based on https://github.com/x-stream/xstream/issues/262, I suspect most users should consider switching to alternative APIs/libs - eg XMLInputFactory (StAX parsing), jackson-dataformat-xml, JAXB, etc.

Thanks @joehni for maintaining this great library. Those OSS Fuzz guys are causing real chaos in the OSS community. They should try much harder to engage with lib maintainers before raising the CVEs.

[act-amirsky]

I agree, XStream is an amazing library! @pjfanning , maybe i misunderstood, but is there news of the XStream project closing that you suggest switching to alternatives and giving (well deserved) thanks to @joehni ?

[joehni]

As most of you may have noticed, XStream cannot do anything about CVEs 2022-40152 to 2022-40156. Apart from that this ticket simply duplifies #304.