Description
Hello,
I’d like to raise a concern regarding the GitHub Security Advisory GHSA-jffq-528j-mp6c, which reports an XXE vulnerability in the mule-apikit-module.
Summary of Observations:
-
As discussed in issue #547, it appears the patch was introduced via setFeatures()). in the same class.
-
The advisory claims the issue was fixed in version 1.3.1. However, there is no 1.3.1 tag in the GitHub repo. The release jumps from 1.3.0 directly to 1.4, and comparing the two (1.3.0...1.4) shows no relevant code changes to address the vulnerability.
-
I found a link where the developer appears to be maintaining versioning separately. I downloaded the JAR files and compared two versions 1.3.1 and 1.3.0, but found no changes related to the vulnerability.
- The only evidence of discussion between the researcher and developer seems to be this thread, which lacks detailed context.
Request:
- Could the team please:
1.Confirm whether this vulnerability was indeed valid?
2.Clarify whether version 1.3.1 introduced any new XXE mitigation measures that were not already present in version 1.3.0.
Best regards,
Aditya