Hi, We have: https://issues.apache.org/jira/browse/FOP-3085
Thanks -----Original Message----- From: Philip Trykacz <phil_tryk...@gmx.de> Sent: 01 September 2022 09:33 To: fop-users@xmlgraphics.apache.org Subject: Is Apache FOP vulnerable to CVE-2022-34169? Hi all, I've the following issue: I am using the Apache FOP library to generate a PDF file in my software. As far as I understand, the current version of Apache FOP library depends on Xalan 2.7.2 for the handling of XSLT files, which is vulnerable to CVE-2022-34169. A cutout from the dependency graph is attached to the end of the mail. Now my question: In my software, the XSLT file is loaded from disk, and hence, can be manipulated by an user(or an attacker). If I use Apache FOP, and the XSLT file can theoretically be edited by a user, am I vulnerable to CVE-2022-34169? I would think yes, right? Are there any plans on an update of Apache FOP, which is not vulnerable to CVE-2022-34169? As far as i understand the Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Dependency Graph: +- org.apache.xmlgraphics:fop:jar:2.7:compile | +- org.apache.xmlgraphics:fop-util:jar:2.7:compile | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.7:compile | +- org.apache.xmlgraphics:fop-events:jar:2.7:compile | | \- com.thoughtworks.qdox:qdox:jar:1.12:compile | \- org.apache.xmlgraphics:fop-core:jar:2.7:compile | +- org.apache.xmlgraphics:batik-anim:jar:1.14:compile | | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile | | +- org.apache.xmlgraphics:batik-dom:jar:1.14:compile | | | \- xalan:xalan:jar:2.7.2:compile | | | \- xalan:serializer:jar:2.7.2:compile BR Philip Trykacz --------------------------------------------------------------------- To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org