You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the owasp-java-html-sanitizer dependency is at version 20220608.1, but this version pulls in Guava at version 30.1-jre, which leads to security warnings CVE-2023-2976 and CVE-2020-8908. These likely do not affect Keycloak, but they are a distraction which could obfuscate more real security issues worth looking in to.
The owasp-java-html-sanitizer recently released version 20240325.1 which completely removes Guava, thus removing the above CVEs too.
Keycloak should upgrade the owasp-java-html-sanitizer.
The text was updated successfully, but these errors were encountered:
Description
Currently, the owasp-java-html-sanitizer dependency is at version 20220608.1, but this version pulls in Guava at version 30.1-jre, which leads to security warnings CVE-2023-2976 and CVE-2020-8908. These likely do not affect Keycloak, but they are a distraction which could obfuscate more real security issues worth looking in to.
The owasp-java-html-sanitizer recently released version 20240325.1 which completely removes Guava, thus removing the above CVEs too.
Keycloak should upgrade the owasp-java-html-sanitizer.
The text was updated successfully, but these errors were encountered: