Shot uses a very old version of Scrimage which in turn uses an older version of imageio-jpeg, which itself is vulnerable and causing this issue.
Fixing this should be a simple dependency update - though note that around version 3.0.0 the module name changed. The new dependency should be something like "com.sksamuel.scrimage:scrimage-core:4.0.34"
From what I can tell, these versions should be binary compatible with the one currently in use - I don't see any breaking changes listed in the release notes.
Steps to reproduce
Check dependency chain. Shot-core is currently using "com.sksamuel.scrimage:scrimage-core_2.12:2.1.8"
Expected behaviour
Shot is usable without pulling in transitive dependencies that have CVE issues against them.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Actual behaviour
Shot uses a very old version of Scrimage which in turn uses an older version of imageio-jpeg, which itself is vulnerable and causing this issue.
Fixing this should be a simple dependency update - though note that around version 3.0.0 the module name changed. The new dependency should be something like "com.sksamuel.scrimage:scrimage-core:4.0.34"
https://github.com/sksamuel/scrimage/releases
From what I can tell, these versions should be binary compatible with the one currently in use - I don't see any breaking changes listed in the release notes.
Steps to reproduce
Check dependency chain. Shot-core is currently using "com.sksamuel.scrimage:scrimage-core_2.12:2.1.8"
https://github.com/pedrovgs/Shot/blob/master/core/build.gradle#LL16C22-L16C67
Version of the library
5.14.1