oss-sec mailing list archives
Re: [CVE-2022-44730] Apache Batik information disclosure vulnerability
From: Moritz Bechler <mbechler () eenterphace org>
Date: Tue, 22 Aug 2023 23:21:47 +0200
Hi,
CVE-2022-44730: Apache Batik information disclosure vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Batik 1.0 - 1.16 Description: Switch to empty whitelist for rhino
And here the liked bug does not reference the appropriate commit, but one in which the whitelist wasn't actually empty (<https://svn.apache.org/viewvc?view=revision&revision=1905011> would be the more recent update). Putting java.lang.System on that list would have been a pretty bad choice, so, good that that did not make it into the release.
I have the feeling that maybe Apache has a mail template that has "information disclosure vulnerability" in the subject as an example, as I have noticed in other cases that the subjects indicate information disclosure when the issue really is something else.
Moritz
Current thread:
- [CVE-2022-44730] Apache Batik information disclosure vulnerability Simon Steiner (Aug 22)
- Re: [CVE-2022-44730] Apache Batik information disclosure vulnerability Moritz Bechler (Aug 22)