Dependency com.thoughtworks.xstream:xstream, leading to CVE problem

[CVEDetect]

Hi, In memcached-session-manager/xstream-serializer，there is a dependency com.thoughtworks.xstream:xstream:1.4.7 that calls the risk method.

CVE-2020-26258

The scope of this CVE affected version is [,1.4.15)

After further analysis, in this project, the main Api called is <com.thoughtworks.xstream.XStream: void setupSecurity()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

<com.thoughtworks.xstream.XStream: void setupSecurity()>
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,com.thoughtworks.xstream.core.ClassLoaderReference,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.converters.ConverterLookup,com.thoughtworks.xstream.converters.ConverterRegistry)> (com.thoughtworks.xstream.XStream.java:[571]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.7/xstream-1.4.7.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,com.thoughtworks.xstream.core.ClassLoaderReference,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.core.DefaultConverterLookup)> (com.thoughtworks.xstream.XStream.java:[496]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.7/xstream-1.4.7.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,java.lang.ClassLoader,com.thoughtworks.xstream.mapper.Mapper)> (com.thoughtworks.xstream.XStream.java:[465]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.7/xstream-1.4.7.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.io.HierarchicalStreamDriver)> (com.thoughtworks.xstream.XStream.java:[411]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.7/xstream-1.4.7.jar
at <com.thoughtworks.xstream.XStream: void <init>()> (com.thoughtworks.xstream.XStream.java:[350]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.7/xstream-1.4.7.jar
at <de.javakaffee.web.msm.serializer.xstream.XStreamTranscoder: void <init>(org.apache.catalina.Manager)> (de.javakaffee.web.msm.serializer.xstream.XStreamTranscoder.java:[56]) in /detect/unzip/memcached-session-manager-2.3.0/xstream-serializer/target/classes

Dependency tree--

[INFO] de.javakaffee.msm:msm-xstream-serializer:jar:2.3.0
[INFO] +- de.javakaffee.msm:memcached-session-manager:jar:2.3.0:provided
[INFO] |  +- net.spy:spymemcached:jar:2.12.0:provided
[INFO] |  +- com.couchbase.client:couchbase-client:jar:1.4.11:provided
[INFO] |  |  +- io.netty:netty:jar:3.5.5.Final:provided
[INFO] |  |  +- org.codehaus.jettison:jettison:jar:1.1:provided
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:provided
[INFO] |  |  \- org.apache.httpcomponents:httpcore-nio:jar:4.3:provided
[INFO] |  \- redis.clients:jedis:jar:2.9.0:provided
[INFO] |     \- org.apache.commons:commons-pool2:jar:2.4.2:provided
[INFO] +- org.apache.tomcat:juli:jar:6.0.53:provided
[INFO] +- org.apache.tomcat:coyote:jar:6.0.53:provided
[INFO] |  \- org.apache.tomcat:servlet-api:jar:6.0.53:provided
[INFO] +- org.apache.tomcat:catalina:jar:6.0.53:provided
[INFO] |  \- org.apache.tomcat:annotations-api:jar:6.0.53:provided
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.7:compile
[INFO] |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- com.google.code.findbugs:jsr305:jar:3.0.1:compile
[INFO] +- com.google.code.findbugs:annotations:jar:3.0.1:compile
[INFO] |  \- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.3:provided

Suggested solutions:

Update dependency version

Thank you very much.

[CVEDetect]

@magro Could please help me check this issue? May I pull a request to fix it? Thanks again.