-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability found on com.ibm.icu.icu4j dependency #48
Comments
@jzimermann the CVE is for icu for C not J. in anyway, the "remote code execution" is questionable, I think it's actually just a crash after memory allocation fails instead of an error result (and then a crash!) |
Yes @srl295 , we did notice that the details in the CVE description referred to icu4c and not icu4j. To give you some background information. We are using spring-boot with owasp dependency checker as part of our build pipeline. The error we are getting is,
I haven't explored any of these in detail, either way, it would be great if we moved to version |
Thanks for your reply, @oloo .
No, ICU4J does not call ICU4C, nor does it have similar implementation in this case. The
I think the dependency checker may be buggy if it flagged an error. The CVE specifically mentions C++. Would you be able to file an issue and mention me? I think one issue may be that the CPE |
@srl295, @jzimermann I have filed the issue here and tagged both of you. |
@oloo for point 3 above - I'm not sure I would blame MITRE/NVD for mistakenly flagging icu4j as icu4c. OWASP dependency-check uses the data from the NVD to do a best effort matching - false positives do crop up from time to time. For the maintainers of |
Thanks for the clarification @jeremylong. In the meantime, we will add icu4j to our suppressions list while we wait for the next dependency-check release. Thanks again @srl295 , @jeremylong , @jzimermann |
Version 2.2 is released now |
The issue
Slugify library recently added a dependency called
com.ibm.icu.icu4j
as part of the effort to solve #45 and support other languages.It was found here version
59.1
has a vulnerability that allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.We are working on a Pull Request that bumps the
com.ibm.icu.icu4j
version to60.1
which should fix this.@oloo pairing with me on this issue
The text was updated successfully, but these errors were encountered: