Good to know such cases. As always, thank you for maintaining OSS ecosystem, including responding vulnerability questions.
https://nvd.nist.gov/vuln/detail/CVE-2022-40160 Description ** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid. On Fri, Jun 30, 2023 at 09:40 Gary Gregory <garydgreg...@gmail.com> wrote: > That CVE is invalid, please see > https://nvd.nist.gov/vuln/detail/CVE-2022-40160 > > You should rely on official CVE databases like nist.gov. > > Gary > > > > On Fri, Jun 30, 2023, 09:04 Debraj Manna <subharaj.ma...@gmail.com> wrote: > > > commons-jxpath 1.3 is also getting flagged for CVE-2022-401 > > <https://security.snyk.io/vuln/SNYK-JAVA-COMMONSJXPATH-3040994>59. > > > > On Fri, Jun 30, 2023 at 6:28 PM Debraj Manna <subharaj.ma...@gmail.com> > > wrote: > > > > > Hi > > > > > > We have been flagged for CVE-2022-401600 > > > <https://security.snyk.io/vuln/SNYK-JAVA-COMMONSJXPATH-3040995> on > > > commons-jxpath, version 1.3. > > > > > > Can someone let me know commons-jxpath is really affected by this > > > vulnerability? If yes, is there any plan to fix this? > > > > > > -- Regards, Tomo