Re: A Critical Vulnerability with CVSS score 9.8

> On 22 Nov 2023, at 14:39, Phani Kumar Kavuri <pkavuri@progress.com> wrote:
> 
> We, at Progress, use the latest CSS validator for one of the products for validating CSS.  Our security scans have been reporting issues with common-text-1.9.jar which is used by CSS-Validator. 
> https://github.com/w3c/css-validator/releases/tag/cssval-20220105
> Release cssval-20220105 · w3c/css-validator
> Updated dependencies + build options + specs updates
> github.com
> 
> The following critical vulnerability with CVSS Score 9.8 is reported on Common-text-1.9.jar.  Are there any plans to update CSS validator with Common-text-1.10.jar and made available?
> 
> CVE-2022-42889 | CWE-94
> Arbitrary Code Execution: Apache Commons Text is vulnerable to arbitrary code execution. The vulnerability exists in the `lookup` module due to insecure interpolation defaults when untrusted configuration values are used which allows an attacker to inject arbitrary code into the system.
> 
> Will appreciate a quick response. 

Hi,
Fixed and check dependencies, and as you are using releases, I pushed a new release as it contains also other bug fixes in the handling of CSS.
See
https://github.com/w3c/css-validator/releases/tag/cssval-20231124
Cheers,

-- 
Baroula que barouleras, au tiéu toujou t'entourneras.

        ~~Yves

Received on Friday, 24 November 2023 13:39:20 UTC