A Vulnerability with CVSS score 4.3 from Sathyanarayana Gundoji on 2025-01-17 (www-validator-css@w3.org from January 2025)

From: Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com>
Date: Fri, 17 Jan 2025 06:05:40 +0000
To: "www-validator-css@w3.org" <www-validator-css@w3.org>
CC: Phani Kumar Kavuri <pkavuri@progress.com>, Kiran Babu <Kiranb@progress.com>, Hari Krishna Tirunagari <Harikrishna.Tirunagari@progress.com>, Mithun Kumar Singh <misingh@progress.com>, Amith Lambu <alambu@progress.com>
Message-ID: <DM6PR13MB4034115D21CC167726A9ABC8EF1B2@DM6PR13MB4034.namprd13.prod.outlook.com>

Hi Team

We, at Progress Software, use the latest CSS validator for one of the products for validating CSS.  Our security scans have been reporting issues with common-io:2.8.0  which is used by CSS-Validator.
https://github.com/w3c/css-validator/releases/tag/cssval-20231124

The following critical vulnerability with CVSS Score 4.3 is reported on common-io:2.8.0.jar.Are there any plans to update CSS validator with common-io-2.17.jar/ common-io-2.18.jar and made available?
CVE-2024-47554 | CWE-400
We are internally using XRAY scan which reported the same vulnerability with score 7.5
Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Will appreciate a quick response.

Thanks,
Sathyanarayana

Received on Friday, 17 January 2025 17:18:05 UTC