- From: Yves Lafon <ylafon@w3.org>
- Date: Sat, 25 Jan 2025 00:16:12 +0100
- To: Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com>
- Cc: Phani Kumar Kavuri <pkavuri@progress.com>, Kiran Babu <Kiranb@progress.com>, Hari Krishna Tirunagari <Harikrishna.Tirunagari@progress.com>, Mithun Kumar Singh <misingh@progress.com>, "www-validator-css@w3.org" <www-validator-css@w3.org>
> On 24 Jan 2025, at 07:27, Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com> wrote:
>
> Hi Yves Lafon
>
> Thanks for your quick response.
> I have downloaded the latest jar from the https://github.com/w3c/css-validator/releases/download/cssval-20231124/css-validator.jar
> There is reference related commons-io version 2.8 in pom.xml of the maven in the css-validator.jar itself. Our scanner tool is probably referring that pom.xml and reporting it.
> I have downloaded the jar.
>
> Please find the reference below
>
> <image.png>
>
> Please let us know if this is being used somewhere.
It is created when generating the jar using ant, but not a single class from that package is included in the final jar.
META-INF/maven/commons-io/* comes from velocity-2.3.jar
HTH,
>
> Thanks,
> Sathyanarayana
>
>
>
> From: Yves Lafon <ylafon@w3.org>
> Sent: Monday, January 20, 2025 4:08 PM
> To: Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com>
> Cc: Phani Kumar Kavuri <pkavuri@progress.com>; Kiran Babu <Kiranb@progress.com>; Hari Krishna Tirunagari <Harikrishna.Tirunagari@progress.com>; Mithun Kumar Singh <misingh@progress.com>; Amith Lambu <alambu@progress.com>; www-validator-css@w3.org <www-validator-css@w3.org>
> Subject: Re: A Vulnerability with CVSS score 4.3
> Dear Sathyanarayana,
> Thanks for the heads-up!
>
> I checked what packages are in use and commons-io is not used at all in the CSS Validator.
> Is it a false positive, or is your scanner able to find similar issues located in other packages?
>
> Velocity 1.7 (installed from the Debian repository, see [1] defines something io-related: org/apache/velocity/io/UnicodeInputStream. Could it be this one?
> Thanks,
>
> [1] https://packages.debian.org/bookworm/velocity
>
> > On 17 Jan 2025, at 07:05, Sathyanarayana Gundoji <Sathyanarayana.Gundoji@progress.com> wrote:
> >
> > Hi Team
> >
> > We, at Progress Software, use the latest CSS validator for one of the products for validating CSS. Our security scans have been reporting issues with common-io:2.8.0 which is used by CSS-Validator.
> > https://github.com/w3c/css-validator/releases/tag/cssval-20231124
> >
> > The following critical vulnerability with CVSS Score 4.3 is reported on common-io:2.8.0.jar.Are there any plans to update CSS validator with common-io-2.17.jar/ common-io-2.18.jar and made available?
> > CVE-2024-47554 | CWE-400
> > We are internally using XRAY scan which reported the same vulnerability with score 7.5
> > Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
> >
> > Will appreciate a quick response.
> >
> > Thanks,
> > Sathyanarayana
>
>
> --
> Baroula que barouleras, au tiéu toujou t'entourneras.
>
> ~~Yves
--
Baroula que barouleras, au tiéu toujou t'entourneras.
~~Yves
Received on Friday, 24 January 2025 23:16:25 UTC