Comments (3)
mangstadt
commented on June 29, 2024
These vulnerabilities affect ez-vcard's dependencies. The dependencies will be updated to their latest versions whenever I release a new version of ez-vcard, which I don't know when that will be.
However, if you are just reading/writing plain-text vCards, then the vulnerabilities shouldn't affect you. In fact, you can exclude the affected libraries to be safe.
Exclude jackson (jCards): https://github.com/mangstadt/ez-vcard/wiki/jCard#3-dependency
Exclude jsoup (hCards): https://github.com/mangstadt/ez-vcard/wiki/hCard#14-dependency
CVE-2022-42004: Only affects JSON-encoded vCards (jCard).
CVE-2022-42003: Only affects JSON-encoded vCards (jCard).
CVE-2022-36033: Only affects HTML-encoded vCards (hCard).
CVE-2022-34169: The Apache Xalan Java XSLT library is only used for unit testing and is not included in the release version.
from ez-vcard.
mangstadt
commented on June 29, 2024
Hi Mike,
thanks for your quick reply.
I use jCards but not hCards. Anyway, think it could be sufficient to exclude only the dependency from jsoup.
Best,
Mario
from ez-vcard.
mangstadt
commented on June 29, 2024
The vulnerabilities should only affect your application if your code uses the JCardModule, JCardSerializer, or JCardDeserializer classes. These classes use the "jackson-databind" library, which is what the CVE vulnerabilities are for.
If you are using the Ezvcard, JCardReader, JCardWriter classes to serialize your jCards, then you should be OK because those classes only use the "jackson-core" library.
from ez-vcard.
Related Issues (20)
- IMPP: case-insensitive comparison of schemes HOT 1
- VCardWriter - Writes data without proper formatting for Google Contacts - Expected : YYYY-MM-DD ; current : YYYYMMDD HOT 2
- [Q] How do I get the `RawProperty`s? HOT 1
- Migration to 0.12.0 while still supporting Android API 21..25 HOT 6
- Add support for Jigsaw modules HOT 1
- Parsing from chunk of text HOT 2
- Custom getter in VCardProperty HOT 9
- Invalid value for "MonthOfYear" caused by wrong BDAY date HOT 1
- Raw property values HOT 4
- Relations and Anniversaries are lost in serialization HOT 2
- what is the way to add social media contact? HOT 1
- Default line folding line length is not null HOT 1
- [Compatibility] Treat KIND values case-insensitive HOT 2
- whole vCard being drop instead of the specific corrupted fields HOT 3
- WhatsApp format of vcard is not supported?
- No Class found in DavX5 HOT 1
- hCard GEO HOT 1
- CRLF is handled incorrectly in vcard 2.1 properties HOT 8
- Wrong value for vCard property VERSION returned HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ez-vcard.