graphviz-java icon indicating copy to clipboard operation
graphviz-java copied to clipboard

Batik Dependency Subject to Known Vulnerabilities

Open syoon2 opened this issue 2 years ago • 0 comments

https://github.com/nidi3/graphviz-java/blob/f0c1fdfa37c8b9876ef1dcccec1a6c19219e727e/graphviz-java/pom.xml#L92-L104

List of known vulnerabilities

Fixed in 1.15:

  • CVE-2022-38648
  • CVE-2022-40146

Fixed in 1.16:

  • CVE-2022-41704
  • CVE-2022-42890

Fixed in 1.17:

  • CVE-2022-44729
  • CVE-2022-44730

Issues Affecting This Repository

A simple dependency version bump works fine for 1.15 / 1.16. For 1.17, however, a simple version bump does not work as it breaks several Batik rasterizer tests, with the presumable cause being the patches for CVE-2022-44729.

syoon2 avatar Sep 01 '23 03:09 syoon2