-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-40152 affecting com.fasterxml.woodstox:woodstox-core #397
Comments
Noted |
Adding interest in this update. Snyk has assigned another XML External Entity (XXE) Injection vulnerability with no CVE number, in com.fasterxml.woodstox:woodstox-core < 5.3.0, the rating of 9.4 out of 10. |
As far as these things go in my experience, it's not particularly possible to wait until all maintainers of my project(s) direct dependencies update theirs, which will require a constant stream of patch releases, and I don't think is a reasonable burden to expect each maintainer to take on. In addition, different direct dependencies will have various versions of the same transitive dependency anyway. |
CVE-2022-40152 is a vulnerability affecting
com.fasterxml.woodstox:woodstox-core
, which is a transitive dependency ofjava-saml
viaorg.apache.santuario:xmlsec
. Requesting that you upgrade the dependencyorg.apache.santuario:xmlsec
to 3.0.2+ or 2.3.3+ when they are released. It appears both will include upgraded versions ofwoodstox-core
in which this vulnerability is fixed. Thank you!The text was updated successfully, but these errors were encountered: