[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [CVE-2022-44730] Apache Batik information disclosure vulnerability
From:       Moritz Bechler <mbechler () eenterphace ! org>
Date:       2023-08-22 21:21:47
Message-ID: 27c254dd-41da-7326-f49f-5eb6aeeac5ae () eenterphace ! org
[Download RAW message or body]

Hi,

> CVE-2022-44730:
>          Apache Batik information disclosure vulnerability
> 
> Severity:
>          Medium
> 
> Vendor:
>          The Apache Software Foundation
> 
> Versions Affected:
>          Batik 1.0 - 1.16
> 
> Description:
>          Switch to empty whitelist for rhino

And here the liked bug does not reference the appropriate commit, but 
one in which the whitelist wasn't actually empty 
(<https://svn.apache.org/viewvc?view=revision&revision=1905011> would be 
the more recent update). Putting java.lang.System on that list would 
have been a pretty bad choice, so, good that that did not make it into 
the release.


  I have the feeling that maybe Apache has a mail template that has 
"information disclosure vulnerability" in the subject as an example, as 
I have noticed in other cases that the subjects indicate information 
disclosure when the issue really is something else.


Moritz

[prev in list] [next in list] [prev in thread] [next in thread]