If the pen tester is relying in what the Exiftool reports, then they should know that it is reporting the version of ICC color profile itself (as per the version header field in the ICC file) - not the version of the ICC library (lcms). Have them review the exiftool tool source code: https://github.com/exiftool/exiftool/blob/master/lib/Image/ExifTool/ICC_Profile.pm
> -----Original Message----- > From: Florian Schlittgen <schlitt...@liwa.de> > Sent: Wednesday, November 8, 2023 2:59 AM > To: users@pdfbox.apache.org > Subject: Re: Re: Little CMS > > Thanks for your feedback. > The Java version I am currently using is corretto-11.0.21, so this is the > up-to-date version of Java 11. > Is the assumption correct that the metadata field 'Profile Version' reflects > the Little CMS version? > > Kind regards, Florian > > > Am 07.11.2023 um 16:34 schrieb sahy...@fileaffairs.de: > > > > LittleCMS is bundled inside Java so the version being used depends on > > your Java version and is not something PDFBox provides directly. So if > > you are really using LittleCMS 2.3 you have a very old JDK running and > > not done any updates to that. > > > > With kind regards > > Maruan > > > > Am Dienstag, dem 07.11.2023 um 15:40 +0100 schrieb Florian Schlittgen: > >> Hi, > >> > >> we are using PDFBox in a web application which was recently subjected > >> to a penetration test. The tester found out that PDFBox is using > >> 'Little CMS' version 2.3.0, at least that's what the metadata of the > >> generated PDF says: > >> > >> ======= > >> $ exiftool test.pdf > >> […] > >> Profile CCM Type : Little CMS > >> Profile Version : 2.3.0 > >> […] > >> Device Manufacturer : Little CMS > >> […] > >> Profile Creator : Little CMS > >> […] > >> ======= > >> > >> According to the CVEdetails > >> (https://www.cvedetails.com/vulnerability-list/vendor_id-8840/product > >> _id-15596/Littlecms-Little-Cms-Color-Engine.html), at least five > >> vulnerabilities have been published since the release date of the > >> software in 2011. These include CVE-2013-7455, a vulnerability that > >> has been given a CVSS rating of 10.0. > >> > >> How can this be classified from PDFBox's point of view? How should we > >> deal with this security risk or is it possibly not a risk at all? > >> > >> Thank you very much for your assessment! > >> Best regards, > >> Florian > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > > For additional commands, e-mail: users-h...@pdfbox.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
