CVE-2022-36033: Upgrade jsoup to version 1.15.3

technomancy / leiningen

Moved to Codeberg; this is a convenience mirror

https://codeberg.org/leiningen/leiningen

Other

7.29k stars 1.61k forks source link

CVE-2022-36033: Upgrade jsoup to version 1.15.3 #2805

Closed emilywoods closed 1 year ago

emilywoods commented 1 year ago

https://nvd.nist.gov/vuln/detail/CVE-2022-36033

Leiningen 2.9.10 has the dependency org.jsoup:jsoup:jar:1.14.2, which contains CVE-2022-36033. This CVE is fixed in version 1.15.3.

Please let me know if any additional info is needed!

Thank you

technomancy commented 1 year ago

As far as I can tell, even tho we pull in this dependency from pomegranate, it is completely unnecessary for anything we actually do. I will look into whether we can remove it altogether rather than upgrading it. (But if we can't get rid of it we can certainly upgrade it)

technomancy commented 1 year ago

OK, this is fixed in f255040 which brings in a new wagon-http version that doesn't use jsoup.

emilywoods commented 1 year ago

Thank you @technomancy!