Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE on tools-reader 1.4.2 #173

Closed
slipset opened this issue Apr 30, 2024 · 2 comments
Closed

CVE on tools-reader 1.4.2 #173

slipset opened this issue Apr 30, 2024 · 2 comments
Labels
can close? security

Comments

@slipset
Copy link
Contributor

slipset commented Apr 30, 2024

nippy depends on tools-reader 1.4.2 which has a CVE on it, CVE-2017-20189.

This is the latest version of tools-reader, so I guess this is just a FYI.
@ptaoussanis
Copy link
Member

@slipset Hi Erik, thanks for pinging about this. Just double-checking - did you link to the correct CVE there?

I believe that's a pretty old issue, and it's not obvious from the linked page that that has anything to do with tools.reader?

Back in 2020, Nippy did have a related vulnerability via the same mechanism (java.io.Serializable being susceptible to gadget chains).

The fix in Nippy's case was to switch to an explicit whitelist for Serializable classes.

It looks like this is maybe an old issue somehow getting dredged up, and being (incorrectly?) attributed to tools.reader? I may be missing something though.

@ptaoussanis
Copy link
Member

Closing since from what I can tell, this alert appears to refer to an old (2017) CVE that would have been resolved by Nippy in 2020. Please feel free to reopen if I've misunderstood something and this still seems to be relevant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
can close? security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ptaoussanis @slipset