Howdy folks,

I recently saw that there was a reported CVE[1] for Apache JXPath that became 
public due to no response to the reporter over 90 days. I am uncertain if the 
reporter had tried reaching out to the appropriate security lists before-hand 
and was ignored, or failed to follow our established procedures. Regardless, 
the issue is now public.

I have not personally verified the vulnerability, nor assessed the impact. NIST 
thinks it is a Big Deal, though, scoring it 9.8/10 [2]

It is hard to assess impact since the project does not publish artifacts to 
maven central, but I'm also taking that as an indicator of low adoption at this 
point in time. Further, the project has not had a release since 2015. There has 
been very limited mailing list activity, and the last 5 years of commits have 
only been typo/comment fixes.

If there is no community around it, is there a path to retirement? What are the 
next steps?

Thanks,
Mike

[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
[2]: https://nvd.nist.gov/vuln/detail/CVE-2022-41852

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Reply via email to