epubcheck icon indicating copy to clipboard operation
epubcheck copied to clipboard

Published 20 hours ago verified publisher icon w3c

Fix CVE-2021-23792 vulnerability from imageio-jpeg

Open CGarces opened this issue 3 years ago • 1 comments

Hi.

The current version of epubcheck has a vulnerability considered as critical in my current builds, that use epubcheck 4.2.6

See https://security.snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23792 https://github.com/advisories/GHSA-pjch-4g28-fxx7

The vulnerability is caused by one of the dependencies, imageio-jpeg https://github.com/w3c/epubcheck/blob/main/pom.xml#L210-L214

This security issue was fixed on 3.7.1, but I don't have knowledge to test epubcheck with the upgraded version.

Please note that the version used (3.4.1) is from 2018, last version from that branch is 3.4.3 from 2020 but it not fix the CVE-2021-23792 vulnerability

It's possible to bump the imageio-jpeg dependency?

CGarces avatar Jun 11 '22 14:06 CGarces

I have enabled dependabot on my repo https://github.com/CGarces/epubcheck/blob/main/.github/dependabot.yml

And the automatic PR generated by dependabot for 3.8.2 upgrade, pass the CI scripts.

https://github.com/CGarces/epubcheck/pull/3

CGarces avatar Jun 11 '22 15:06 CGarces