CVEs in outdated libs wss4j and xmlsec

Question

CVEs in outdated libs wss4j and xmlsec

sopgreg opened this issue 2 years ago · comments

sopgreg commented 2 years ago

The versions used for wss4j (2.2.2) and xmlsec (2.1.2) are several years old and partially also contain CVEs.

See also:

https://ws.apache.org/wss4j/index.html
https://santuario.apache.org/secadv.html

Renate Slebe · Answer 1 · Wed Oct 26 2022 17:09:02 GMT+0800 (China Standard Time)

We will be upgrading dependencies in a future version. However, these CVEs are in parts of the libraries that Holodeck B2B does not use and therefore do not pose a risk.