Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Got security warning for JDOM » 2.0.6.1 - CVE-2022-34169 #203

Open
dkumarkartik opened this issue Aug 24, 2022 · 4 comments
Open

Got security warning for JDOM » 2.0.6.1 - CVE-2022-34169 #203

dkumarkartik opened this issue Aug 24, 2022 · 4 comments

Comments

@dkumarkartik
Copy link

Hello Team Hunter hacker,
we are currently using JDOM: 2.0.6.1 and facing vulnerability warning for CVE-2022-34169 and 4 for XCERS library.
so can we get a fix for these vulnerabilities.

@hunterhacker
Copy link
Owner

What do you propose be done?

@rzo1
Copy link

rzo1 commented Oct 5, 2022

@hunterhacker I think it is mainly about updating xerces to 2.7.3, which shouldn't be that hard and doing a release in order to please scanners. Probably just a matter of available time :)

@chadlwilson
Copy link

Both Xalan and Xerces are optional dependencies for JDom2 so the version used is up to users - and indeed believe you can replace them with alternative implementations. There are patched versions of xerces (2.12.2) and jdom can't do anything about a vulnerability in xalan 2.7.2 that probably won't be patched/fixed as it's EOL.

I'd suggest people check that they are not pulling in optional dependencies due to issues with their build system, and/or remove them if not needed?

@pjonsson
Copy link

pjonsson commented Oct 7, 2023

There is a Xalan 2.7.3 released in April this year that fixes the mentioned CVE according to https://xalan.apache.org/xalan-j/readme.html#done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants