A Critical Vulnerability with CVSS score 9.8 from Phani Kumar Kavuri on 2023-11-22 (www-validator-css@w3.org from November 2023)

From: Phani Kumar Kavuri <pkavuri@progress.com>
Date: Wed, 22 Nov 2023 13:39:55 +0000
To: "www-validator-css@w3.org" <www-validator-css@w3.org>
CC: Amith Lambu <alambu@progress.com>, Kiran Babu <Kiranb@progress.com>
Message-ID: <CO1PR13MB47740BCCA6F12B680568EBB0CABAA@CO1PR13MB4774.namprd13.prod.outlook.com>

We, at Progress, use the latest CSS validator for one of the products for validating CSS.  Our security scans have been reporting issues with common-text-1.9.jar which is used by CSS-Validator.
https://github.com/w3c/css-validator/releases/tag/cssval-20220105
[https://opengraph.githubassets.com/8a2d97292007de9d5509a8402fedc5f1c779bccd9f0e9037e09f3899af49ae46/w3c/css-validator/releases/tag/cssval-20220105]<https://github.com/w3c/css-validator/releases/tag/cssval-20220105>
Release cssval-20220105 · w3c/css-validator<https://github.com/w3c/css-validator/releases/tag/cssval-20220105>
Updated dependencies + build options + specs updates
github.com

The following critical vulnerability with CVSS Score 9.8 is reported on Common-text-1.9.jar.  Are there any plans to update CSS validator with Common-text-1.10.jar and made available?


CVE-2022-42889<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42889> | CWE-94<http://cwe.mitre.org/data/definitions/94.html>

Arbitrary Code Execution: Apache Commons Text is vulnerable to arbitrary code execution. The vulnerability exists in the `lookup` module due to insecure interpolation defaults when untrusted configuration values are used which allows an attacker to inject arbitrary code into the system.

Will appreciate a quick response.


Thanks.

Regards
Phani

Received on Friday, 24 November 2023 12:48:28 UTC