[ https://issues.apache.org/jira/browse/TINKERPOP-2677?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ken Hu updated TINKERPOP-2677: ------------------------------ Fix Version/s: 3.7.0 > Upgrade to Groovy 3.x to fix XStream security vulnerability > ----------------------------------------------------------- > > Key: TINKERPOP-2677 > URL: https://issues.apache.org/jira/browse/TINKERPOP-2677 > Project: TinkerPop > Issue Type: Bug > Components: groovy > Affects Versions: 3.6.0, 3.5.2 > Reporter: Divij Vaidya > Priority: Major > Fix For: 3.7.0 > > > XStream has a number of documented vulnerabilities as specified in > [https://x-stream.github.io/security.html] which are fixed in 1.4.18. Note > that 1.4.18 is not backport compatible since it uses a new whitelisting > approach for serialization. > TinkerPop has a dependency on XStream via: [1] > TinkerPop -> Groovy 2.5.x -> XStream 1.4.10 > However, Groovy 2.5.x series does not consume the version of XStream (1.4.18) > which contains the fixes for the vulnerabilities [2] but Groovy 3.x uses > XStream (1.4.18) which has the fixes for vulnerabilities. > Hence, either we convince the Groovy project to backport the vulnerability > fixes to 2.5.x series or we upgrade Groovy to 3.x for TinkerPop. > IMO, upgrading TP to use Groovy 3.x might be much easier. > [1] https://github.com/apache/tinkerpop/blob/master/pom.xml#L162 > [2]https://github.com/apache/groovy/blob/GROOVY_2_5_X/build.gradle#L165 -- This message was sent by Atlassian Jira (v8.20.10#820010)