Got security warning for JDOM » 2.0.6.1 - CVE-2022-34169

[dkumarkartik]

Hello Team Hunter hacker,
we are currently using JDOM: 2.0.6.1 and facing vulnerability warning for CVE-2022-34169 and 4 for XCERS library.
so can we get a fix for these vulnerabilities.

[hunterhacker]

What do you propose be done?

[rzo1]

@hunterhacker I think it is mainly about updating xerces to 2.7.3, which shouldn't be that hard and doing a release in order to please scanners. Probably just a matter of available time :)

[chadlwilson]

Both Xalan and Xerces are optional dependencies for JDom2 so the version used is up to users - and indeed believe you can replace them with alternative implementations. There are patched versions of xerces (2.12.2) and jdom can't do anything about a vulnerability in xalan 2.7.2 that probably won't be patched/fixed as it's EOL.

I'd suggest people check that they are not pulling in optional dependencies due to issues with their build system, and/or remove them if not needed?

[pjonsson]

There is a Xalan 2.7.3 released in April this year that fixes the mentioned CVE according to https://xalan.apache.org/xalan-j/readme.html#done.