Hi, we are using PDFBox in a web application which was recently subjected to a penetration test. The tester found out that PDFBox is using 'Little CMS' version 2.3.0, at least that's what the metadata of the generated PDF says:
======= $ exiftool test.pdf […] Profile CCM Type : Little CMS Profile Version : 2.3.0 […] Device Manufacturer : Little CMS […] Profile Creator : Little CMS […] ======= According to the CVEdetails (https://www.cvedetails.com/vulnerability-list/vendor_id-8840/product_id-15596/Littlecms-Little-Cms-Color-Engine.html), at least five vulnerabilities have been published since the release date of the software in 2011. These include CVE-2013-7455, a vulnerability that has been given a CVSS rating of 10.0. How can this be classified from PDFBox's point of view? How should we deal with this security risk or is it possibly not a risk at all? Thank you very much for your assessment! Best regards, Florian
