HIGH vulnerabilities - Githubissues

suvash / one-time

One Time Password (TOTP and HOTP) library for Clojure. TOTP/HOTP is widely used for Two Factor / Multi Factor Authentication.

Eclipse Public License 1.0

166 stars 17 forks source link

Open ClemRz opened 3 months ago

ClemRz commented 3 months ago

Hi,

It seems that nvd-clojure detects quite a few HIGH vulnerabilities due to the Batik dependencies version used in on-time:

batik-css-1.15.jar: CVE-2022-44729, CVE-2022-42890, CVE-2022-41704, CVE-2022-44730
batik-i18n-1.15.jar: CVE-2022-44729, CVE-2022-44730

~It seems that this is for front-end purposes. Why are they actually needed?~ <- probably for QR rendering.

Is there any plan to upgrade these dependencies please?

ClemRz commented 3 months ago

Actually, PR #24 from @daviddurand should solve these vulnerabilities.