You're welcome and keep asking :-) Gary
On Fri, Jun 30, 2023, 10:10 Tomo Suzuki <suzt...@google.com.invalid> wrote: > Good to know such cases. As always, thank you for maintaining OSS > ecosystem, including responding vulnerability questions. > > > https://nvd.nist.gov/vuln/detail/CVE-2022-40160 > Description > > ** DISPUTED ** This record was originally reported by the oss-fuzz project > who failed to consider the security context in which JXPath is intended to > be used and failed to contact the JXPath maintainers prior to requesting > the CVE allocation. The CVE was then allocated by Google in breach of the > CNA rules. After review by the JXPath maintainers, the original report was > found to be invalid. > > On Fri, Jun 30, 2023 at 09:40 Gary Gregory <garydgreg...@gmail.com> wrote: > > > That CVE is invalid, please see > > https://nvd.nist.gov/vuln/detail/CVE-2022-40160 > > > > You should rely on official CVE databases like nist.gov. > > > > Gary > > > > > > > > On Fri, Jun 30, 2023, 09:04 Debraj Manna <subharaj.ma...@gmail.com> > wrote: > > > > > commons-jxpath 1.3 is also getting flagged for CVE-2022-401 > > > <https://security.snyk.io/vuln/SNYK-JAVA-COMMONSJXPATH-3040994>59. > > > > > > On Fri, Jun 30, 2023 at 6:28 PM Debraj Manna <subharaj.ma...@gmail.com > > > > > wrote: > > > > > > > Hi > > > > > > > > We have been flagged for CVE-2022-401600 > > > > <https://security.snyk.io/vuln/SNYK-JAVA-COMMONSJXPATH-3040995> on > > > > commons-jxpath, version 1.3. > > > > > > > > Can someone let me know commons-jxpath is really affected by this > > > > vulnerability? If yes, is there any plan to fix this? > > > > > > > > > > -- > Regards, > Tomo >
