On 27/01/2023 11:50, David Schumann wrote:
Hello,
during a PenTest we found a ReDos issue in the JRE which causes
Matcher.matches() to go into an endless loop. Is such an issue
considered a bug for the JDK team (aka should I file a bug report)? Or
is such an issue considered "by design"?
The issue appears in current JRE versions (tested with 17 and 21)
We can't discuss such matters here. If you think there is a security
issue then please report it to OpenJDK vulnerability group [1].
-Alan.
[1] https://openjdk.org/groups/vulnerability/report
