Skip to content

Fix CVE-2021-23792 vulnerability from imageio-jpeg #1336

New issue
New issue
Closed
Closed
Fix CVE-2021-23792 vulnerability from imageio-jpeg#1336
Labels
priority: criticalTo be processed and published ASAPstatus: acceptedReady to be further processedstatus: completedWork completed, can be closedtype: maintenanceThe issue is related to a meta task (build system, dependency update, etc)
Milestone
v5.0.0-beta
@CGarces

Description

@CGarces
CGarces
opened on Jun 11, 2022

Hi.

The current version of epubcheck has a vulnerability considered as critical in my current builds, that use epubcheck 4.2.6

See
https://security.snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23792
GHSA-pjch-4g28-fxx7

The vulnerability is caused by one of the dependencies, imageio-jpeg
https://github.com/w3c/epubcheck/blob/main/pom.xml#L210-L214

This security issue was fixed on 3.7.1, but I don't have knowledge to test epubcheck with the upgraded version.

Please note that the version used (3.4.1) is from 2018, last version from that branch is 3.4.3 from 2020 but it not fix the CVE-2021-23792 vulnerability

It's possible to bump the imageio-jpeg dependency?

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: criticalTo be processed and published ASAPstatus: acceptedReady to be further processedstatus: completedWork completed, can be closedtype: maintenanceThe issue is related to a meta task (build system, dependency update, etc)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions