Version 0.11.3 vulnerabilities

[mangstadt]

Email from Mario:

Hi Mike,

hope this note finds you well.

Have you planned to fix current version vulnerabilities (see https://mvnrepository.com/artifact/com.googlecode.ez-vcard/ez-vcard/0.11.3) ?

[mangstadt]

These vulnerabilities affect ez-vcard's dependencies. The dependencies will be updated to their latest versions whenever I release a new version of ez-vcard, which I don't know when that will be.

However, if you are just reading/writing plain-text vCards, then the vulnerabilities shouldn't affect you. In fact, you can exclude the affected libraries to be safe.

Exclude jackson (jCards): https://github.com/mangstadt/ez-vcard/wiki/jCard#3-dependency Exclude jsoup (hCards): https://github.com/mangstadt/ez-vcard/wiki/hCard#14-dependency

CVE-2022-42004: Only affects JSON-encoded vCards (jCard). CVE-2022-42003: Only affects JSON-encoded vCards (jCard). CVE-2022-36033: Only affects HTML-encoded vCards (hCard). CVE-2022-34169: The Apache Xalan Java XSLT library is only used for unit testing and is not included in the release version.

[mangstadt]

Hi Mike,

thanks for your quick reply.

I use jCards but not hCards. Anyway, think it could be sufficient to exclude only the dependency from jsoup.

Best,

Mario

[mangstadt]

The vulnerabilities should only affect your application if your code uses the JCardModule, JCardSerializer, or JCardDeserializer classes. These classes use the "jackson-databind" library, which is what the CVE vulnerabilities are for.

If you are using the Ezvcard, JCardReader, JCardWriter classes to serialize your jCards, then you should be OK because those classes only use the "jackson-core" library.