Hi,
I am using your library org.apache.poi with name: 'poi-ooxml' and version:
'5.0.0' for my project and after creating my jars, I have gone to pass a
vulnerability scan with the trivy command.
The scan has given me HIGH vulnerabilities in two dependencies of the library.
org.apache.xmlgraphics:batik-svgbrowser | CVE-2020-11987 | HIGH |
1.13 | 1.14 | batik: SSRF due to improper input
|
| | | |
| | validation by the
NodePickerPanel |
| | | |
| |
-->avd.aquasec.com/nvd/cve-2020-11987
The first one on the library org.apache.xmlgraphics » batik-all that it's
included on your dependencies.
org.apache.commons:commons-compress | CVE-2021-35515 | HIGH |
1.20 | 1.21 | apache-commons-compress:
|
And the second one on the library org.apache.commons » commons-compress that
also it's included on your dependencies.
I am writing to ask you if it would be possible to update the versions of these
two libraries (Batik need the 1.14 and commons-compress need the 1.21) and post
a patch of version 5.0.0 of the 'poi-ooxml'.
In closing, I inform you that I am using the mavenrepository to include the
library in my project
(https://mvnrepository.com/artifact/org.apache.poi/poi-ooxml) let me know if I
can find a version of the poi with the vulnerabilities fixed elsewhere.
Thank you so much!
Marc.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org
