[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [CVE-2022-44730] Apache Batik information disclosure vulnerability
From: Moritz Bechler <mbechler () eenterphace ! org>
Date: 2023-08-22 21:21:47
Message-ID: 27c254dd-41da-7326-f49f-5eb6aeeac5ae () eenterphace ! org
[Download RAW message or body]
Hi,
> CVE-2022-44730:
> Apache Batik information disclosure vulnerability
>
> Severity:
> Medium
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Batik 1.0 - 1.16
>
> Description:
> Switch to empty whitelist for rhino
And here the liked bug does not reference the appropriate commit, but
one in which the whitelist wasn't actually empty
(<https://svn.apache.org/viewvc?view=revision&revision=1905011> would be
the more recent update). Putting java.lang.System on that list would
have been a pretty bad choice, so, good that that did not make it into
the release.
I have the feeling that maybe Apache has a mail template that has
"information disclosure vulnerability" in the subject as an example, as
I have noticed in other cases that the subjects indicate information
disclosure when the issue really is something else.
Moritz
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic