Hello everyone, I hope this is the right mailing list in which to discuss such questions. I tried on the user taglibs mailing list and they suggested here.
The library hasn't changed since 2015 (version 1.2.5) but there are several CVEs logged against it. They are CVE-2020-29243-5. They are all ranked as 6.5 medium by NIST. What is the chance of any fix for these issues please? The library is quite a low level one in that several higher level components have it as a dependency. This makes such components vulnerable. I'm thinking of axis2. I did an owasp analysis on it and that is what reported those CVEs. axis2 is getting rid of the CVEs that are ranked as high or critical which means the medium ones will be next. -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk
