LittleCMS is bundled inside Java so the version being used depends on your Java version and is not something PDFBox provides directly. So if you are really using LittleCMS 2.3 you have a very old JDK running and not done any updates to that.
With kind regards Maruan Am Dienstag, dem 07.11.2023 um 15:40 +0100 schrieb Florian Schlittgen: > Hi, > > we are using PDFBox in a web application which was recently subjected > to a penetration test. The tester found out that PDFBox is using > 'Little CMS' version 2.3.0, at least that's what the metadata of the > generated PDF says: > > ======= > $ exiftool test.pdf > […] > Profile CCM Type : Little CMS > Profile Version : 2.3.0 > […] > Device Manufacturer : Little CMS > […] > Profile Creator : Little CMS > […] > ======= > > According to the CVEdetails > (https://www.cvedetails.com/vulnerability-list/vendor_id-8840/product > _id-15596/Littlecms-Little-Cms-Color-Engine.html), at least five > vulnerabilities have been published since the release date of the > software in 2011. These include CVE-2013-7455, a vulnerability that > has been given a CVSS rating of 10.0. > > How can this be classified from PDFBox's point of view? How should we > deal with this security risk or is it possibly not a risk at all? > > Thank you very much for your assessment! > Best regards, > Florian --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
