Howdy folks, I recently saw that there was a reported CVE[1] for Apache JXPath that became public due to no response to the reporter over 90 days. I am uncertain if the reporter had tried reaching out to the appropriate security lists before-hand and was ignored, or failed to follow our established procedures. Regardless, the issue is now public.
I have not personally verified the vulnerability, nor assessed the impact. NIST thinks it is a Big Deal, though, scoring it 9.8/10 [2] It is hard to assess impact since the project does not publish artifacts to maven central, but I'm also taking that as an indicator of low adoption at this point in time. Further, the project has not had a release since 2015. There has been very limited mailing list activity, and the last 5 years of commits have only been typo/comment fixes. If there is no community around it, is there a path to retirement? What are the next steps? Thanks, Mike [1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 [2]: https://nvd.nist.gov/vuln/detail/CVE-2022-41852 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
