Re: CVE-2022-40160O on commons-jxpath

2023-06-30 Thread Gary Gregory 
You're welcome and keep asking :-)

Gary


On Fri, Jun 30, 2023, 10:10 Tomo Suzuki  wrote:

> Good to know such cases. As always, thank you for maintaining OSS
> ecosystem, including responding vulnerability questions.
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2022-40160
> Description
>
> ** DISPUTED ** This record was originally reported by the oss-fuzz project
> who failed to consider the security context in which JXPath is intended to
> be used and failed to contact the JXPath maintainers prior to requesting
> the CVE allocation. The CVE was then allocated by Google in breach of the
> CNA rules. After review by the JXPath maintainers, the original report was
> found to be invalid.
>
> On Fri, Jun 30, 2023 at 09:40 Gary Gregory  wrote:
>
> > That CVE is invalid, please see
> > https://nvd.nist.gov/vuln/detail/CVE-2022-40160
> >
> > You should rely on official CVE databases like nist.gov.
> >
> > Gary
> >
> >
> >
> > On Fri, Jun 30, 2023, 09:04 Debraj Manna 
> wrote:
> >
> > > commons-jxpath 1.3 is also getting flagged for CVE-2022-401
> > > 59.
> > >
> > > On Fri, Jun 30, 2023 at 6:28 PM Debraj Manna  >
> > > wrote:
> > >
> > > > Hi
> > > >
> > > > We have been flagged for CVE-2022-401600
> > > >  on
> > > > commons-jxpath, version 1.3.
> > > >
> > > > Can someone let me know commons-jxpath is really affected by this
> > > > vulnerability? If yes, is there any plan to fix this?
> > > >
> > >
> >
> --
> Regards,
> Tomo
>

Re: CVE-2022-40160O on commons-jxpath

2023-06-30 Thread Tomo Suzuki 
Good to know such cases. As always, thank you for maintaining OSS
ecosystem, including responding vulnerability questions.


https://nvd.nist.gov/vuln/detail/CVE-2022-40160
Description

** DISPUTED ** This record was originally reported by the oss-fuzz project
who failed to consider the security context in which JXPath is intended to
be used and failed to contact the JXPath maintainers prior to requesting
the CVE allocation. The CVE was then allocated by Google in breach of the
CNA rules. After review by the JXPath maintainers, the original report was
found to be invalid.

On Fri, Jun 30, 2023 at 09:40 Gary Gregory  wrote:

> That CVE is invalid, please see
> https://nvd.nist.gov/vuln/detail/CVE-2022-40160
>
> You should rely on official CVE databases like nist.gov.
>
> Gary
>
>
>
> On Fri, Jun 30, 2023, 09:04 Debraj Manna  wrote:
>
> > commons-jxpath 1.3 is also getting flagged for CVE-2022-401
> > 59.
> >
> > On Fri, Jun 30, 2023 at 6:28 PM Debraj Manna 
> > wrote:
> >
> > > Hi
> > >
> > > We have been flagged for CVE-2022-401600
> > >  on
> > > commons-jxpath, version 1.3.
> > >
> > > Can someone let me know commons-jxpath is really affected by this
> > > vulnerability? If yes, is there any plan to fix this?
> > >
> >
>
-- 
Regards,
Tomo

Re: CVE-2022-40160O on commons-jxpath

2023-06-30 Thread Gary Gregory 
That CVE is invalid, please see
https://nvd.nist.gov/vuln/detail/CVE-2022-40160

You should rely on official CVE databases like nist.gov.

Gary



On Fri, Jun 30, 2023, 09:04 Debraj Manna  wrote:

> commons-jxpath 1.3 is also getting flagged for CVE-2022-401
> 59.
>
> On Fri, Jun 30, 2023 at 6:28 PM Debraj Manna 
> wrote:
>
> > Hi
> >
> > We have been flagged for CVE-2022-401600
> >  on
> > commons-jxpath, version 1.3.
> >
> > Can someone let me know commons-jxpath is really affected by this
> > vulnerability? If yes, is there any plan to fix this?
> >
>

Re: CVE-2022-40160O on commons-jxpath

2023-06-30 Thread Debraj Manna 
commons-jxpath 1.3 is also getting flagged for CVE-2022-401
59.

On Fri, Jun 30, 2023 at 6:28 PM Debraj Manna 
wrote:

> Hi
>
> We have been flagged for CVE-2022-401600
>  on
> commons-jxpath, version 1.3.
>
> Can someone let me know commons-jxpath is really affected by this
> vulnerability? If yes, is there any plan to fix this?
>