To whom it may concern, Even though it is clear that XStreamWireFormat does not use XStream’s BinaryStreamDriver which is required for https://nvd.nist.gov/vuln/detail/CVE-2024-47072 to be applicable, most vulnerability scanners are not smart enough to look at code usage, so changing line 105 of acivemq’s pom file to <xstream-version>1.4.21</xstream-version> instead of 1.4.20 would suppress these false positives.
Thanks, James Velasco — James Velasco Chief Computer Scientist Office: +1 (713) 975-7434 james.vela...@int.com <mailto:james.vela...@int.com> INT | Empowering Visualization
