CVE-2022-40152 affecting com.fasterxml.woodstox:woodstox-core

[ron-ak-p]

CVE-2022-40152 is a vulnerability affecting com.fasterxml.woodstox:woodstox-core, which is a transitive dependency of java-saml via org.apache.santuario:xmlsec. Requesting that you upgrade the dependency org.apache.santuario:xmlsec to 3.0.2+ or 2.3.3+ when they are released. It appears both will include upgraded versions of woodstox-core in which this vulnerability is fixed. Thank you!

[pitbulk]

Noted

[MioG777829]

Adding interest in this update. Snyk has assigned another XML External Entity (XXE) Injection vulnerability with no CVE number, in com.fasterxml.woodstox:woodstox-core < 5.3.0, the rating of 9.4 out of 10.
https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754

[veselov]

As far as these things go in my experience, it's not particularly possible to wait until all maintainers of my project(s) direct dependencies update theirs, which will require a constant stream of patch releases, and I don't think is a reasonable burden to expect each maintainer to take on. In addition, different direct dependencies will have various versions of the same transitive dependency anyway.
I gave up on this expectation long time ago. The only way is to maintain one's own manifest with all dependencies that have been affected by a vulnerability at least once, using POM's dependencyManagement support. I will need to provide an update to my (deployable somewhere/exposed to the internet) application a lot faster than waiting for each dependency to update theirs, and I can't just say "no, I can't patch this vulnerability because so and so maintainer hasn't updated their library.