[Snyk] Upgrade com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21

[appsectr]

Snyk has created this PR to upgrade com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 23 versions ahead of your current version.

• The recommended version was released on a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337	756	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176	756	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190	756	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191	756	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177	756	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178	756	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977	756	No Known Exploit
	XML External Entity (XXE) Injection SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385	756	No Known Exploit
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179	756	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180	756	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394	756	No Known Exploit
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181	756	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182	756	Proof of Concept
	Remote Code Execution (RCE) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183	756	Mature
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185	756	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540	756	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189	756	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180	756	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897	756	Proof of Concept
	Insecure XML deserialization SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764	756	Mature
	Arbitrary File Deletion SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966	756	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967	756	Mature
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328	756	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329	756	Proof of Concept

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[secure-code-warrior-for-github]

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Deserialization of untrusted data (Detected by phrase)

Matched on "Deserialization of Untrusted Data"

What is this? (2min video)

It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Deserialization Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing deserialization flaws in your applications.
• OWASP Deserialization of untrusted data - OWASP community page with comprehensive information about deserialization vulnerabilities, and links to various OWASP resources to help detect or prevent it.
• OWASP Top Ten 2017 A8: Insecure Deserialization - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-Side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: External entity injection (Detected by phrase)

Matched on "XXE"

What is this? (2min video)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP XML External Entity (XXE) Processing - OWASP community page with comprehensive information about XML external entity attacks, and links to various OWASP resources to help detect or prevent it.
• MSDN Security Briefs - XML Denial of Service Attacks and Defenses - An MSDN Magazine article that goes into detail on XML entity attacks and how to defend against them.
• OWASP XML External Entity Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing XML external entity flaws in your applications.