CVEs in outdated libs wss4j and xmlsec

Question

CVEs in outdated libs wss4j and xmlsec

sopgreg opened this issue 2 years ago · 1 comments

The versions used for wss4j (2.2.2) and xmlsec (2.1.2) are several years old and partially also contain CVEs.

See also:

https://ws.apache.org/wss4j/index.html
https://santuario.apache.org/secadv.html

Answer 1 · 2022-10-26T09:09:02.000Z

We will be upgrading dependencies in a future version. However, these CVEs are in parts of the libraries that Holodeck B2B does not use and therefore do not pose a risk.