Thanks for the feedback @overheadhunter
Any chance I can track to change in some way? Is this already tied to an “Issue”?
I don’t know the project well so not sure which repo this change will happen in.
Please do not just post vulnerabilites in the public, this creates a massive risks for Cryptomator users depending on the vulnerabillities. Of course, you can disclose them if we refuse to answer after a fair amount of time. See also our security policy and the general concept of Coordinated vulnerability disclosure - Wikipedia.
Regarding the CVEs: We are still evaluating, if Cryptomator is affected. We will update the used JDK anyway, but currently it is not clear, if the reported CVEs can be used with Cryptomator.
First of all, apologies for not following the coordinated vuln discloslure guidelines. I will make sure to follow these in the future if needed. Thank you for the follow-up and swift actions @infeo@overheadhunter