Re: [CVE-2022-44730] Apache Batik information disclosure vulnerability

[Moritz Bechler <mbechler () eenterphace org>]

Hi,

> CVE-2022-44730:
>          Apache Batik information disclosure vulnerability
>
> Severity:
>          Medium
>
> Vendor:
>          The Apache Software Foundation
>
> Versions Affected:
>          Batik 1.0 - 1.16
>
> Description:
>          Switch to empty whitelist for rhino

And here the liked bug does not reference the appropriate commit, but 
one in which the whitelist wasn't actually empty 
(<https://svn.apache.org/viewvc?view=revision&revision=1905011> would be 
the more recent update). Putting java.lang.System on that list would 
have been a pretty bad choice, so, good that that did not make it into 
the release.


 I have the feeling that maybe Apache has a mail template that has 
"information disclosure vulnerability" in the subject as an example, as 
I have noticed in other cases that the subjects indicate information 
disclosure when the issue really is something else.


Moritz