🔒️ Denial of Service due to parser crash in Woodstox 6.2.4

[LVMVRQUXL]

📝 Description

Security vulnerability encountered by Dependabot.

• Package: com.fasterxml.woodstox:woodstox-core.
• Affected versions: >= 6.0.0, < 6.4.0.
• Patched version: 6.4.0.

Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

This vulnerability is only relevant for users making use of the DTD parsing functionality.

See advisory in GitHub Advisory Database.

🔗 Dependencies

This issue is blocked by the following items:

• Woodstox:6.2.4 Security vulnerability in Dokka versions Kotlin/dokka#3194

[LVMVRQUXL]

In Kotools Samples, Woodstox is a transitive dependency: this project depends on Dokka 1.8.20, which indirectly depends on Woodstox 6.2.4.

\--- org.jetbrains.dokka:org.jetbrains.dokka.gradle.plugin:1.8.20
     \--- org.jetbrains.dokka:dokka-gradle-plugin:1.8.20
          \--- org.jetbrains.dokka:dokka-core:1.8.20
               +--- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.12.7
               |    +--- com.fasterxml.woodstox:woodstox-core:6.2.4

So upgrading Dokka for supporting the patched version of Woodstox should resolve this issue.
But Dokka 1.9.20, being the latest stable version on 2024-11-14, doesn't support Woodstox 6.4.0...