Am Dienstag, dem 07.11.2023 um 16:59 +0100 schrieb Florian Schlittgen: > Thanks for your feedback. > The Java version I am currently using is corretto-11.0.21, so this is > the up-to-date version of Java 11. > Is the assumption correct that the metadata field 'Profile Version' > reflects the Little CMS version?
I don't know - maybe someone else can shed litle into this. BR Maruan > > Kind regards, Florian > > > Am 07.11.2023 um 16:34 schrieb sahy...@fileaffairs.de: > > > > LittleCMS is bundled inside Java so the version being used depends > > on > > your Java version and is not something PDFBox provides directly. So > > if > > you are really using LittleCMS 2.3 you have a very old JDK running > > and > > not done any updates to that. > > > > With kind regards > > Maruan > > > > Am Dienstag, dem 07.11.2023 um 15:40 +0100 schrieb Florian > > Schlittgen: > > > Hi, > > > > > > we are using PDFBox in a web application which was recently > > > subjected > > > to a penetration test. The tester found out that PDFBox is using > > > 'Little CMS' version 2.3.0, at least that's what the metadata of > > > the > > > generated PDF says: > > > > > > ======= > > > $ exiftool test.pdf > > > […] > > > Profile CCM Type : Little CMS > > > Profile Version : 2.3.0 > > > […] > > > Device Manufacturer : Little CMS > > > […] > > > Profile Creator : Little CMS > > > […] > > > ======= > > > > > > According to the CVEdetails > > > ( > > > https://www.cvedetails.com/vulnerability-list/vendor_id-8840/produ > > > ct > > > _id-15596/Littlecms-Little-Cms-Color-Engine.html), at least five > > > vulnerabilities have been published since the release date of the > > > software in 2011. These include CVE-2013-7455, a vulnerability > > > that > > > has been given a CVSS rating of 10.0. > > > > > > How can this be classified from PDFBox's point of view? How > > > should we > > > deal with this security risk or is it possibly not a risk at all? > > > > > > Thank you very much for your assessment! > > > Best regards, > > > Florian > > > > > > ------------------------------------------------------------------- > > -- > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > > For additional commands, e-mail: users-h...@pdfbox.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: users-h...@pdfbox.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
