Got security warning for JDOM » 2.0.6.1 - CVE-2022-34169

Question

Got security warning for JDOM » 2.0.6.1 - CVE-2022-34169

Opened this issue 2 years ago · 4 comments

Hello Team Hunter hacker,
we are currently using JDOM: 2.0.6.1 and facing vulnerability warning for CVE-2022-34169 and 4 for XCERS library.
so can we get a fix for these vulnerabilities.

Answer 1 · 2022-08-28T03:21:10.000Z

What do you propose be done?

Answer 2 · 2022-10-05T17:31:10.000Z

@hunterhacker I think it is mainly about updating xerces to 2.7.3, which shouldn't be that hard and doing a release in order to please scanners. Probably just a matter of available time :)

Answer 3 · 2023-02-01T10:57:30.000Z

Both Xalan and Xerces are optional dependencies for JDom2 so the version used is up to users - and indeed believe you can replace them with alternative implementations. There are patched versions of xerces (2.12.2) and jdom can't do anything about a vulnerability in xalan 2.7.2 that probably won't be patched/fixed as it's EOL.

I'd suggest people check that they are not pulling in optional dependencies due to issues with their build system, and/or remove them if not needed?

Answer 4 · 2023-10-07T18:51:14.000Z

There is a Xalan 2.7.3 released in April this year that fixes the mentioned CVE according to https://xalan.apache.org/xalan-j/readme.html#done.