CVEs in outdated libs wss4j and xmlsec
sopgreg opened this issue · 1 comments
sopgreg commented
The versions used for wss4j (2.2.2) and xmlsec (2.1.2) are several years old and partially also contain CVEs.
See also:
https://ws.apache.org/wss4j/index.html
https://santuario.apache.org/secadv.html
RenateS commented
We will be upgrading dependencies in a future version. However, these CVEs are in parts of the libraries that Holodeck B2B does not use and therefore do not pose a risk.