Batik Dependency Subject to Known Vulnerabilities

https://github.com/nidi3/graphviz-java/blob/f0c1fdfa37c8b9876ef1dcccec1a6c19219e727e/graphviz-java/pom.xml#L92-L104

## List of known vulnerabilities

Fixed in 1.15:
- CVE-2022-38648
- CVE-2022-40146

Fixed in 1.16:
- CVE-2022-41704
- CVE-2022-42890

Fixed in 1.17:
- CVE-2022-44729
- CVE-2022-44730

## Issues Affecting This Repository

A simple dependency version bump works fine for 1.15 / 1.16. For 1.17, however, a simple version bump does not work as it breaks several Batik rasterizer tests, with the presumable cause being the patches for CVE-2022-44729.

	<!-- Only needed for BATIK renderer -->
	<dependency>
	<groupId>org.apache.xmlgraphics</groupId>
	<artifactId>batik-rasterizer</artifactId>
	<version>1.14</version>
	<optional>true</optional>
	<exclusions>
	<exclusion>
	<groupId>commons-logging</groupId>
	<artifactId>commons-logging</artifactId>
	</exclusion>
	</exclusions>
	</dependency>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Batik Dependency Subject to Known Vulnerabilities #251

List of known vulnerabilities

Issues Affecting This Repository

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Batik Dependency Subject to Known Vulnerabilities #251

Description

List of known vulnerabilities

Issues Affecting This Repository

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions