0

Looking to use webdrivermanager-java version 5.1.0 It has a dependency on org.brotli:dec 0.1.2 (dec-0.1.2.jar), which was released in 2017.

NVD reports CVS-2020-8927 about brotli versions before 1.0.8 - but it's not specific to native or java releases.

Can anyone clarify if this CVE applies to the webdrivermanager java release? If so, is there a brotli java release planned to rectify this? 0.1.2 is the most recent in mvnrepository.

If this is an issue, would webdrivermanager consider revising its java code to use another library?

Thanks. Bob

1 Answers1

0

I'll close this now.

After further reflection, this CVE is for a "Buffer Overflow" which must refer to the full "C" based brotli code, not the small java decompression utility (Buffer Overflows are not found in Java).

Thanks. Bob