nippy icon indicating copy to clipboard operation
nippy copied to clipboard
verified publisher icon taoensso

CVE on tools-reader 1.4.2

Open slipset opened this issue 1 year ago • 1 comments

nippy depends on tools-reader 1.4.2 which has a CVE on it, CVE-2017-20189.

This is the latest version of tools-reader, so I guess this is just a FYI.

slipset avatar Apr 30 '24 13:04 slipset

@slipset Hi Erik, thanks for pinging about this. Just double-checking - did you link to the correct CVE there?

I believe that's a pretty old issue, and it's not obvious from the linked page that that has anything to do with tools.reader?

Back in 2020, Nippy did have a related vulnerability via the same mechanism (java.io.Serializable being susceptible to gadget chains).

The fix in Nippy's case was to switch to an explicit whitelist for Serializable classes.

It looks like this is maybe an old issue somehow getting dredged up, and being (incorrectly?) attributed to tools.reader? I may be missing something though.

ptaoussanis avatar Apr 30 '24 16:04 ptaoussanis

Closing since from what I can tell, this alert appears to refer to an old (2017) CVE that would have been resolved by Nippy in 2020. Please feel free to reopen if I've misunderstood something and this still seems to be relevant.

ptaoussanis avatar May 30 '24 09:05 ptaoussanis