Hi,

We have:
https://issues.apache.org/jira/browse/FOP-3085

Thanks

-----Original Message-----
From: Philip Trykacz <phil_tryk...@gmx.de> 
Sent: 01 September 2022 09:33
To: fop-users@xmlgraphics.apache.org
Subject: Is Apache FOP vulnerable to CVE-2022-34169?

Hi all,

I've the following issue:
I am using the Apache FOP library to generate a PDF file in my software.
As far as I understand, the current version of Apache FOP library depends on 
Xalan 2.7.2 for the handling of XSLT files, which is vulnerable to 
CVE-2022-34169.
A cutout from the dependency graph is attached to the end of the mail.

Now my question:
In my software, the XSLT file is loaded from disk, and hence, can be 
manipulated by an user(or an attacker).
If I use Apache FOP, and the XSLT file can theoretically be edited by a user, 
am I vulnerable to CVE-2022-34169?
I would think yes, right?

Are there any plans on an update of Apache FOP, which is not vulnerable to 
CVE-2022-34169? As far as i understand the Apache Xalan Java project is dormant 
and in the process of being retired. No future releases of Apache Xalan Java to 
address this issue are expected.


Dependency Graph:
+- org.apache.xmlgraphics:fop:jar:2.7:compile
|  +- org.apache.xmlgraphics:fop-util:jar:2.7:compile
|  |  \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.7:compile
|  +- org.apache.xmlgraphics:fop-events:jar:2.7:compile
|  |  \- com.thoughtworks.qdox:qdox:jar:1.12:compile
|  \- org.apache.xmlgraphics:fop-core:jar:2.7:compile
|     +- org.apache.xmlgraphics:batik-anim:jar:1.14:compile
|     |  +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
|     |  +- org.apache.xmlgraphics:batik-dom:jar:1.14:compile
|     |  |  \- xalan:xalan:jar:2.7.2:compile
|     |  |     \- xalan:serializer:jar:2.7.2:compile

BR
Philip Trykacz

---------------------------------------------------------------------
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org

Reply via email to