Re: A Critical Vulnerability with CVSS score 9.8

> On 22 Nov 2023, at 14:39, Phani Kumar Kavuri <> wrote:
> We, at Progress, use the latest CSS validator for one of the products for validating CSS.  Our security scans have been reporting issues with common-text-1.9.jar which is used by CSS-Validator. 
> Release cssval-20220105 · w3c/css-validator
> Updated dependencies + build options + specs updates
> The following critical vulnerability with CVSS Score 9.8 is reported on Common-text-1.9.jar.  Are there any plans to update CSS validator with Common-text-1.10.jar and made available?
> CVE-2022-42889 | CWE-94
> Arbitrary Code Execution: Apache Commons Text is vulnerable to arbitrary code execution. The vulnerability exists in the `lookup` module due to insecure interpolation defaults when untrusted configuration values are used which allows an attacker to inject arbitrary code into the system.
> Will appreciate a quick response. 

Fixed and check dependencies, and as you are using releases, I pushed a new release as it contains also other bug fixes in the handling of CSS.

Baroula que barouleras, au tiéu toujou t'entourneras.


Received on Friday, 24 November 2023 13:39:20 UTC