Skip to content

sweet_xml vulnerability on 0.6 #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mcbloch opened this issue Mar 5, 2022 · 1 comment
Closed

sweet_xml vulnerability on 0.6 #95

mcbloch opened this issue Mar 5, 2022 · 1 comment

Comments

@mcbloch
Copy link

mcbloch commented Mar 5, 2022

sweet_xml has a XML bomb vulnerability in version 0.6 which is used by this library. They fixed it in 0.7.

kbrw/sweet_xml#71

Environment

  • Waffle version (mix deps): 1.1.6
  • Waffle dependencies when applicable (mix deps): sweet_xml 0.6.6
@achempion
Copy link
Member

Hey, thank you for the report. I've updated deps two weeks ago and we're currently on recent version 0.7.2.

This dependency is also optional and only needed for S3 integration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@achempion @mcbloch