[
https://issues.apache.org/jira/browse/FREEMARKER-190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17411086#comment-17411086
]
Dániel Dékány commented on FREEMARKER-190:
------------------------------------------
It's not pulled in by FreeMarker, it's an optional dependency. That is, DOM4J
is only used if the application that embeds FreeMarker already uses it, and
passes DOM4J nodes to FreeMarker. Also DOM4J support is a legacy feature, and I
believe the current versions of DOM4J aren't compatible with the 1.3 API. So,
to keep backward compatibility, this legacy DOM4J feature must assume 1.3.
> The jar dom4j has known security issue that Freemarker compiles dependend on
> it
> --------------------------------------------------------------------------------
>
> Key: FREEMARKER-190
> URL: https://issues.apache.org/jira/browse/FREEMARKER-190
> Project: Apache Freemarker
> Issue Type: Wish
> Components: engine
> Affects Versions: 2.3.31
> Reporter: PowerCOM_STARWAR
> Priority: Major
>
> Hi, friend. When i compile the Freemarker, i find it depends on the jar dom4j
> ,and its version is 1.3. From the Internet, this version 1.3 of dom4j has
> security issues, so please upgrade to the safety version.Thanks.
> The security issue number CVE-2020-10683 and link:
> [https://nvd.nist.gov/vuln/detail/CVE-2020-10683]
> The Security issue number CVE-2018-1000632 and link:
> [https://nvd.nist.gov/vuln/detail/CVE-2018-1000632.]
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
