XNAT 1.9 Dependency Updates
A combination of internal SAST security scans and external CVE identification performed on the XNAT stack revealed a set of potential vulnerabilities associated with out-of-date dependency versions. While we assessed these vulnerabilities and determined that XNAT’s application and data had minimal actual exposure to risk, we want to ensure that the application stack can pass audits such as these.
If you have developed external XNAT plugins, these dependency updates may impact your code. See Updating Plugins for Changes in XNAT Dependencies for details.
Critical Risk Updates
These dependency updates carried the highest amount of potential risk
Dependency Library | Old Version | New Version Update for XNAT 1.9 |
|---|---|---|
axis | 1.4 | removed from XNAT (Still in use in Pipeline Engine plugin) |
jackson (woodstox) | 2.13.3 | 2.13.5 |
jayway (json-smart) | 2.4.0 | 2.8.0 |
org.postgresql | 42.2.10 | 42.7.3 |
snakeyaml | 1.33 | |
spring-framework | 4.3.30.RELEASE | 5.3.31 |
spring-ldap | 2.3.3.RELEASE | 2.4.1 |
spring-security | 4.2.20.RELEASE | 5.7.11 |
quartz (c3p0) | 2.2.1 | 2.3.2 |
xmlbeans | 2.6.0 | removed from XNAT (Still in use in Pipeline Engine plugin) |
xstream | removed |
High Risk Updates
These updates carried “high” risk
Dependency Library | Old Version | New Version Update for XNAT 1.9 |
|---|---|---|
commons-beanutils | 1.9.3 | 1.9.4 |
commons-compress | 1.20 | 1.24.0 |
commons-email | 1.4 | 1.5 |
guava | 20.0 | 32.1.3-jre |
hibernate | 4.3.11.Final | 5.6.15.Final |
http-builder (nekohtml) | 0.7.1 | removed |
json | 20160810 | 20231013 |
logback | 1.2.3 | 1.2.12 |
Other Dependency Updates
These updates carried a risk profile of “medium” or lower.
Dependency Library | Old Version | New Version Update for XNAT 1.9 |
|---|---|---|
antlr3 | 3.5.2 | 3.5.3 |
antlr4 | 4.7.1 | 4.9.3 |
commons-httpclient | 3.x | Removed from XNAT |
commons-io | 2.6 | 2.15.1 |
commons-net | 3.3 | 3.10.0 |
datasource-micrometer | 1.0.3 | |
ehcache | 2.6.11 | 3.10.8 |
glassfish-javax-el | 3.0.1-b12 | |
glassfish-jakarta-el | 4.0.2 | |
java-activation | 1.1.1 | 1.2.0 |
java-cache-api | 1.1.1 | |
javax-el | 2.2.5 | |
javax-validation | 2.0.1.Final | removed |
javamelody | 1.90.0 | 1.91.0 |
jetbrains-annotations | 17.0.0 | removed |
junit | 4.13 | 4.13.2 |
jython | 2.7.1 | 2.7.3 |
lombok | 1.18.22 | 1.18.26 |
micrometer-core | 1.12.4 | |
redisson | 3.20.1 | |
reflections | 0.9.11 | 0.10.2 |