flexmark-java icon indicating copy to clipboard operation
flexmark-java copied to clipboard
verified publisher icon vsch

CVE-2021-37714: update jsoup

Open goto1134 opened this issue 3 years ago • 3 comments

openhtmltopdf-jsoup-dom-converter has org.jsoup:jsoup:1.11.3 depencency. This version is vulnerable to CVE-2021-37714.

To fix it, follow the advice GHSA-m72m-mhq2-9p6c and update to org.jsoup:jsoup:1.14.2 and higher.

The related issue in openhtmltopdf: https://github.com/danfickle/openhtmltopdf/issues/828

goto1134 avatar Apr 20 '22 09:04 goto1134

Apparently this is a false positive, since all modules of flexmark override this with a newer jsoup, it just is not explicitly excluded on the openhtmltopdf-jsoup-dom-converter dependency (which would prevent this false positive).

This dependency itself might be worth to remove though. It's own description marks it as deprecated:

DEPRECATED MODULE FOR REMOVAL: Use Jsoup provided W3CDom helper class instead. Open HTML to PDF is a CSS 2.1 renderer written in Java. This artifact supports converting a Jsoup HTML5 instance into a DOM supported by Open HTML to PDF.

snv avatar Aug 24 '22 06:08 snv

Any updates on a fix timeline?

kkomissarchik avatar Sep 21 '22 00:09 kkomissarchik

So is this saying using something like https://jsoup.org/apidocs/org/jsoup/helper/class-use/W3CDom.html ?

ebresie avatar Sep 25 '22 16:09 ebresie