Fix CVE-2021-23792 vulnerability from imageio-jpeg #1336
Labels
priority: critical
To be processed and published ASAP
status: accepted
Ready to be further processed
status: completed
Work completed, can be closed
type: maintenance
The issue is related to a meta task (build system, dependency update, etc)
Milestone
Hi.
The current version of epubcheck has a vulnerability considered as critical in my current builds, that use epubcheck 4.2.6
See
https://security.snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23792
GHSA-pjch-4g28-fxx7
The vulnerability is caused by one of the dependencies, imageio-jpeg
https://github.com/w3c/epubcheck/blob/main/pom.xml#L210-L214
This security issue was fixed on 3.7.1, but I don't have knowledge to test epubcheck with the upgraded version.
Please note that the version used (3.4.1) is from 2018, last version from that branch is 3.4.3 from 2020 but it not fix the CVE-2021-23792 vulnerability
It's possible to bump the imageio-jpeg dependency?
The text was updated successfully, but these errors were encountered: