[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17716851#comment-17716851 ]
Ilguiz Latypov edited comment on XERCESC-2188 at 4/26/23 8:33 PM: ------------------------------------------------------------------ Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.2 (probably because it was the last known version of the product). It was updated to include 3.2.3 in years 2020 (in the human-readable description) and 2022 (in the machine-readable one). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. was (Author: ilatypov): Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.3 (probably because it was the last known version of the product). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. > Use-after-free on external DTD scan > ----------------------------------- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) > Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 > Reporter: Scott Cantor > Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org