htmlunit-driver icon indicating copy to clipboard operation
htmlunit-driver copied to clipboard

Published 20 hours ago verified publisher icon SeleniumHQ

htmlunit-driver latest version has transitive dependency on xalan which has direct vulnerablity (CVE-2022-34169)

Open sumitsg004 opened this issue 3 years ago • 1 comments

Hi Team,

We are using HtmlUnitdriver 3.6.3 (latest version). This has transitive dependency on Xalan which is retired and has security vulnerability (CVE-2022-34169).

Any inputs on how to mitigate this vulnerability ? Is there a new version for html unit driver planned which will address this dependency on Xalan?

sumitsg004 avatar Aug 15 '22 14:08 sumitsg004

We are currently discussion alternatives https://github.com/HtmlUnit/htmlunit/issues/493 Any input is welcome.

rbri avatar Aug 15 '22 15:08 rbri

Starting with HtmlUnit 2.65.1 the dependency to xalan is gone. And starting with HtmlUnit 2.68.0 also xerces is no longer part of the game.

Thanks for motivating this.

rbri avatar Dec 17 '22 15:12 rbri