Skip to content

[Snyk] Fix for 37 vulnerabilities #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 37 vulnerabilities #65

wants to merge 1 commit into from

Conversation

@Yuyang105
Copy link
Owner

@Yuyang105 Yuyang105 commented Jul 15, 2025

snyk-top-banner

Snyk has created this PR to fix 37 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Remote Code Execution (RCE)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183		   854   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Mature
high severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924		   756   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
Proof of Concept
high severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458		   751   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Server-Side Request Forgery (SSRF)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191		   746   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Uncontrolled Recursion
SNYK-JAVA-COMMONSLANG-10734077		   726   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade No Known Exploit
high severity Stack-based Buffer Overflow
SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754		   721   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade No Known Exploit
medium severity Server-Side Request Forgery (SSRF)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967		   711   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Mature
critical severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-456705		   704   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade No Known Exploit
high severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337		   696   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189		   646   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540		   631   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332		   626   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334		   626   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336		   626   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Insecure XML deserialization
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764		   626   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Mature
medium severity Denial of Service (DoS)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897		   616   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328		   611   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331		   591   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
high severity Denial of Service (DoS)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977		   589   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade No Known Exploit
medium severity Arbitrary File Deletion
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966		   586   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329		   586   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330		   586   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333		   586   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335		   586   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338		   586   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180		   479   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.1.3
Major version upgrade No Known Exploit

Vulnerabilities that could not be fixed

  • Upgrade:
    • Could not upgrade org.springframework.boot:[email protected] to org.springframework.boot:[email protected]; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.1.RELEASE/spring-boot-dependencies-1.5.1.RELEASE.pom

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Deserialization of Untrusted Data
🦉 Arbitrary File Deletion
🦉 Server-Side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: pom.xml to reduce vulnerabilities
d19a539 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191
- https://snyk.io/vuln/SNYK-JAVA-COMMONSLANG-10734077
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-456705
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180
@guardrails
Copy link

guardrails bot commented Jul 15, 2025

⚠️ We detected 14 security issues in this pull request:

Vulnerable Libraries (14)
Severity Details
High pkg:maven/com.fasterxml.jackson.core/[email protected] (t) upgrade to: 2.6.7.4,2.9.10.7,2.10.5.1
High pkg:maven/org.springframework/[email protected] (t) upgrade to: 6.1.13
N/A pkg:maven/commons-beanutils/[email protected] (t) upgrade to: 1.9.4
High pkg:maven/org.springframework/[email protected] (t) upgrade to: 6.1.4,6.0.17,5.3.32
High pkg:maven/org.springframework/[email protected] (t) upgrade to: 5.2.22.RELEASE,5.3.20
Critical pkg:maven/org.apache.xmlbeans/[email protected] (t) upgrade to: 3.0.0
N/A pkg:maven/org.apache.tomcat.embed/[email protected] (t) upgrade to: 8.5.99,11.0.0-M17,10.1.19,9.0.86
N/A pkg:maven/commons-configuration/[email protected] (t) - no patch available
High pkg:maven/ch.qos.logback/[email protected] (t) upgrade to: 1.3.12,1.4.12,1.2.13
High pkg:maven/com.fasterxml.woodstox/[email protected] (t) upgrade to: 6.4.0,5.4.0
Medium pkg:maven/org.springframework/[email protected] (t) upgrade to: 6.1.14
Medium pkg:maven/org.springframework/[email protected] (t) upgrade to: 6.1.14
Medium pkg:maven/org.codehaus.groovy/[email protected] (t) upgrade to: 3.0.7,2.4.21,2.5.14
Medium pkg:maven/com.google.protobuf/[email protected] (t) upgrade to: 3.21.7,3.16.3,3.19.6,3.20.3

More info on how to fix Vulnerable Libraries in Java.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Yuyang105 @snyk-bot