- From: Yves Lafon <ylafon@w3.org>
- Date: Mon, 20 Jan 2025 11:38:39 +0100
- To: Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com>
- Cc: Phani Kumar Kavuri <pkavuri@progress.com>, Kiran Babu <Kiranb@progress.com>, Hari Krishna Tirunagari <Harikrishna.Tirunagari@progress.com>, Mithun Kumar Singh <misingh@progress.com>, Amith Lambu <alambu@progress.com>, www-validator-css@w3.org
Dear Sathyanarayana,
Thanks for the heads-up!
I checked what packages are in use and commons-io is not used at all in the CSS Validator.
Is it a false positive, or is your scanner able to find similar issues located in other packages?
Velocity 1.7 (installed from the Debian repository, see [1] defines something io-related: org/apache/velocity/io/UnicodeInputStream. Could it be this one?
Thanks,
[1] https://packages.debian.org/bookworm/velocity
> On 17 Jan 2025, at 07:05, Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com> wrote:
>
> Hi Team
>
> We, at Progress Software, use the latest CSS validator for one of the products for validating CSS. Our security scans have been reporting issues with common-io:2.8.0 which is used by CSS-Validator.
> https://github.com/w3c/css-validator/releases/tag/cssval-20231124
>
> The following critical vulnerability with CVSS Score 4.3 is reported on common-io:2.8.0.jar.Are there any plans to update CSS validator with common-io-2.17.jar/ common-io-2.18.jar and made available?
> CVE-2024-47554 | CWE-400
> We are internally using XRAY scan which reported the same vulnerability with score 7.5
> Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
>
> Will appreciate a quick response.
>
> Thanks,
> Sathyanarayana
--
Baroula que barouleras, au tiƩu toujou t'entourneras.
~~Yves
Received on Monday, 20 January 2025 10:38:53 UTC