Eureka Client - CVE-2024-47072 (HIGH severity)

[acabociu-ntt]

Warning

This issue is solved in branch 2.x but it's not included in the latest release. I'd like to know if a release is planeed soon.

Vulnerability

CVE-2024-47072: DDOS attack exposure.

Dependency

<dependency>
  <groupId>com.thoughtworks.xstream</groupId>
  <artifactId>xstream</artifactId>
</dependency>

Fix-up

Update com.thoughtworks.xstream:xstream to version 1.4.21

<dependency>
    <groupId>com.thoughtworks.xstream</groupId>
    <artifactId>xstream</artifactId>
    <version>1.4.21</version>
</dependency>

[MrManlyPrincess]

Any update on this?
I am running into this as well across several versions.

[jham-clari]

Hoping to get some traction on this upgrade. Based on some research it appears there are no breaking changes for this repo.

The breaking change in XStream 1.4.21 is in the ElementIgnoringMapper class, where two fields had their visibility changed from protected to private. Because Eureka does not use this class, this change will not affect the project.

[acabociu-ntt]

You may close this issue, since it was fixed at c104e1f and it was released in v2.0.5