A Critical Vulnerability with CVSS score 9.8

We, at Progress, use the latest CSS validator for one of the products for validating CSS.  Our security scans have been reporting issues with common-text-1.9.jar which is used by CSS-Validator.
https://github.com/w3c/css-validator/releases/tag/cssval-20220105
[https://opengraph.githubassets.com/8a2d97292007de9d5509a8402fedc5f1c779bccd9f0e9037e09f3899af49ae46/w3c/css-validator/releases/tag/cssval-20220105]<https://github.com/w3c/css-validator/releases/tag/cssval-20220105>
Release cssval-20220105  w3c/css-validator<https://github.com/w3c/css-validator/releases/tag/cssval-20220105>
Updated dependencies + build options + specs updates
github.com

The following critical vulnerability with CVSS Score 9.8 is reported on Common-text-1.9.jar.  Are there any plans to update CSS validator with Common-text-1.10.jar and made available?


CVE-2022-42889<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42889> | CWE-94<http://cwe.mitre.org/data/definitions/94.html>

Arbitrary Code Execution: Apache Commons Text is vulnerable to arbitrary code execution. The vulnerability exists in the `lookup` module due to insecure interpolation defaults when untrusted configuration values are used which allows an attacker to inject arbitrary code into the system.

Will appreciate a quick response.


Thanks.

Regards
Phani

Received on Friday, 24 November 2023 12:48:28 UTC