jdom icon indicating copy to clipboard operation
jdom copied to clipboard
verified publisher icon hunterhacker

Got security warning for JDOM » 2.0.6.1 - CVE-2022-34169

Open dkumarkartik opened this issue 3 years ago • 4 comments

Hello Team Hunter hacker, we are currently using JDOM: 2.0.6.1 and facing vulnerability warning for CVE-2022-34169 and 4 for XCERS library. so can we get a fix for these vulnerabilities.

dkumarkartik avatar Aug 24 '22 12:08 dkumarkartik

What do you propose be done?

hunterhacker avatar Aug 28 '22 03:08 hunterhacker

@hunterhacker I think it is mainly about updating xerces to 2.7.3, which shouldn't be that hard and doing a release in order to please scanners. Probably just a matter of available time :)

rzo1 avatar Oct 05 '22 17:10 rzo1

Both Xalan and Xerces are optional dependencies for JDom2 so the version used is up to users - and indeed believe you can replace them with alternative implementations. There are patched versions of xerces (2.12.2) and jdom can't do anything about a vulnerability in xalan 2.7.2 that probably won't be patched/fixed as it's EOL.

I'd suggest people check that they are not pulling in optional dependencies due to issues with their build system, and/or remove them if not needed?

chadlwilson avatar Feb 01 '23 10:02 chadlwilson

There is a Xalan 2.7.3 released in April this year that fixes the mentioned CVE according to https://xalan.apache.org/xalan-j/readme.html#done.

pjonsson avatar Oct 07 '23 18:10 pjonsson