JodaOrg / joda-time

Joda-Time is the widely used replacement for the Java date and time classes prior to Java SE 8.
http://www.joda.org/joda-time/
Apache License 2.0
4.98k stars 982 forks source link

Does 2.12.7 fixed CVE-2024-23080 ? #780

Closed hw207165 closed 6 months ago

hw207165 commented 6 months ago

Does 2.12.7 fixed CVE-2024-23080 ?

jodastephen commented 6 months ago

That is the first I've heard of the CVE. It looks rubbish to me. Joda-Time, like many Java libraries, can throw NPE on null input. It is perfectly normal and not a treat IMO.

jodastephen commented 6 months ago

The CVE is raised by a brain-dead AI bot. https://gist.github.com/LLM4IG It is utter nonsense.

arnovdk commented 6 months ago

Thank you for the clarification. At our site, the problem was highlighted by Snyk, which we use in our build process.

I suspect that more folks will soon start to notice this issue... 😬

jodastephen commented 6 months ago

The official reference page for the Joda-Time response can be found here.

chadlwilson commented 6 months ago

I contacted Sonatype OSSIndex (maybe others did too) and they have removed the tagging of this bad CVE against joda, so at least tools like OWASP Dependency Check will stop reporting this noise (as NIST NVD haven't tagged it to a product anyway, likely due to their resourcing problems)

Thx for your patience @jodastephen !