Re: A Vulnerability with CVSS score 4.3 from Sathyanarayana Gundoji on 2025-01-24 (www-validator-css@w3.org from January 2025)

From: Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com>
Date: Fri, 24 Jan 2025 06:27:47 +0000
To: Yves Lafon <ylafon@w3.org>
CC: Phani Kumar Kavuri <pkavuri@progress.com>, Kiran Babu <Kiranb@progress.com>, Hari Krishna Tirunagari <Harikrishna.Tirunagari@progress.com>, Mithun Kumar Singh <misingh@progress.com>, "www-validator-css@w3.org" <www-validator-css@w3.org>
Message-ID: <DM6PR13MB40342F95C64EE62208A637B7EFE32@DM6PR13MB4034.namprd13.prod.outlook.com>

Hi Yves Lafon

Thanks for your quick response.
I have downloaded the latest jar from the https://github.com/w3c/css-validator/releases/download/cssval-20231124/css-validator.jar
There is reference related commons-io version 2.8 in pom.xml of the maven in the css-validator.jar itself. Our scanner tool is probably referring that pom.xml and reporting it.
I have downloaded the jar.

 Please find the reference below

[cid:bd225353-0e48-4892-8b07-e3b847cb496f]

Please let us know if this is being used somewhere.

Thanks,
Sathyanarayana

________________________________
From: Yves Lafon <ylafon@w3.org>
Sent: Monday, January 20, 2025 4:08 PM
To: Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com>
Cc: Phani Kumar Kavuri <pkavuri@progress.com>; Kiran Babu <Kiranb@progress.com>; Hari Krishna Tirunagari <Harikrishna.Tirunagari@progress.com>; Mithun Kumar Singh <misingh@progress.com>; Amith Lambu <alambu@progress.com>; www-validator-css@w3.org <www-validator-css@w3.org>
Subject: Re: A Vulnerability with CVSS score 4.3

Dear Sathyanarayana,
Thanks for the heads-up!

I checked what packages are in use and commons-io is not used at all in the CSS Validator.
Is it a false positive, or is your scanner able to find similar issues located in other packages?

Velocity 1.7 (installed from the Debian repository, see [1] defines something io-related: org/apache/velocity/io/UnicodeInputStream. Could it be this one?
Thanks,

[1] https://packages.debian.org/bookworm/velocity<https://packages.debian.org/bookworm/velocity>

> On 17 Jan 2025, at 07:05, Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com> wrote:
>
> Hi Team
>
> We, at Progress Software, use the latest CSS validator for one of the products for validating CSS. Our security scans have been reporting issues with common-io:2.8.0 which is used by CSS-Validator.
> https://github.com/w3c/css-validator/releases/tag/cssval-20231124
>
> The following critical vulnerability with CVSS Score 4.3 is reported on common-io:2.8.0.jar.Are there any plans to update CSS validator with common-io-2.17.jar/ common-io-2.18.jar and made available?
> CVE-2024-47554 | CWE-400
> We are internally using XRAY scan which reported the same vulnerability with score 7.5
> Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
>
> Will appreciate a quick response.
>
> Thanks,
> Sathyanarayana

--
Baroula que barouleras, au tiéu toujou t'entourneras.

~~Yves

Attachments

image/png attachment: image.png

Received on Friday, 24 January 2025 06:28:41 UTC