Date: Tue, 22 Aug 2023 23:21:47 +0200 From: Moritz Bechler <mbechler@...terphace.org> To: oss-security@...ts.openwall.com, Simon Steiner <simonsteiner1984@...il.com>, fibr3s@...il.com Cc: security@...che.org Subject: Re: [CVE-2022-44730] Apache Batik information disclosure vulnerability Hi, > CVE-2022-44730: > Apache Batik information disclosure vulnerability > > Severity: > Medium > > Vendor: > The Apache Software Foundation > > Versions Affected: > Batik 1.0 - 1.16 > > Description: > Switch to empty whitelist for rhino And here the liked bug does not reference the appropriate commit, but one in which the whitelist wasn't actually empty (<https://svn.apache.org/viewvc?view=revision&revision=1905011> would be the more recent update). Putting java.lang.System on that list would have been a pretty bad choice, so, good that that did not make it into the release. I have the feeling that maybe Apache has a mail template that has "information disclosure vulnerability" in the subject as an example, as I have noticed in other cases that the subjects indicate information disclosure when the issue really is something else. Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.