Thanks for your feedback. The Java version I am currently using is corretto-11.0.21, so this is the up-to-date version of Java 11. Is the assumption correct that the metadata field 'Profile Version' reflects the Little CMS version?
Kind regards, Florian > Am 07.11.2023 um 16:34 schrieb sahy...@fileaffairs.de: > > LittleCMS is bundled inside Java so the version being used depends on > your Java version and is not something PDFBox provides directly. So if > you are really using LittleCMS 2.3 you have a very old JDK running and > not done any updates to that. > > With kind regards > Maruan > > Am Dienstag, dem 07.11.2023 um 15:40 +0100 schrieb Florian Schlittgen: >> Hi, >> >> we are using PDFBox in a web application which was recently subjected >> to a penetration test. The tester found out that PDFBox is using >> 'Little CMS' version 2.3.0, at least that's what the metadata of the >> generated PDF says: >> >> ======= >> $ exiftool test.pdf >> […] >> Profile CCM Type : Little CMS >> Profile Version : 2.3.0 >> […] >> Device Manufacturer : Little CMS >> […] >> Profile Creator : Little CMS >> […] >> ======= >> >> According to the CVEdetails >> (https://www.cvedetails.com/vulnerability-list/vendor_id-8840/product >> _id-15596/Littlecms-Little-Cms-Color-Engine.html), at least five >> vulnerabilities have been published since the release date of the >> software in 2011. These include CVE-2013-7455, a vulnerability that >> has been given a CVSS rating of 10.0. >> >> How can this be classified from PDFBox's point of view? How should we >> deal with this security risk or is it possibly not a risk at all? >> >> Thank you very much for your assessment! >> Best regards, >> Florian > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: users-h...@pdfbox.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
