Divij Vaidya created TINKERPOP-2677: ---------------------------------------
Summary: Upgrade to Groovy 3.x to fix XStream security vulnerability Key: TINKERPOP-2677 URL: https://issues.apache.org/jira/browse/TINKERPOP-2677 Project: TinkerPop Issue Type: Bug Components: groovy Affects Versions: 3.6.0, 3.5.2 Reporter: Divij Vaidya XStream has a number of documented vulnerabilities as specified in [https://x-stream.github.io/security.html] which are fixed in 1.4.18. Note that 1.4.18 is not backport compatible since it uses a new whitelisting approach for serialization. TinkerPop has a dependency on XStream via: [1] TinkerPop -> Groovy 2.5.x -> XStream 1.4.10 However, Groovy 2.5.x series does not consume the version of XStream (1.4.18) which contains the fixes for the vulnerabilities [2] but Groovy 3.x uses XStream (1.4.18) which has the fixes for vulnerabilities. Hence, either we convince the Groovy project to backport the vulnerability fixes to 2.5.x series or we upgrade Groovy to 3.x for TinkerPop. IMO, upgrading TP to use Groovy 3.x might be much easier. [1] https://github.com/apache/tinkerpop/blob/master/pom.xml#L162 [2]https://github.com/apache/groovy/blob/GROOVY_2_5_X/build.gradle#L165 -- This message was sent by Atlassian Jira (v8.20.1#820001)