Closed hw207165 closed 6 months ago
That is the first I've heard of the CVE. It looks rubbish to me. Joda-Time, like many Java libraries, can throw NPE on null input. It is perfectly normal and not a treat IMO.
The CVE is raised by a brain-dead AI bot. https://gist.github.com/LLM4IG It is utter nonsense.
Thank you for the clarification. At our site, the problem was highlighted by Snyk, which we use in our build process.
I suspect that more folks will soon start to notice this issue... 😬
The official reference page for the Joda-Time response can be found here.
I contacted Sonatype OSSIndex (maybe others did too) and they have removed the tagging of this bad CVE against joda, so at least tools like OWASP Dependency Check will stop reporting this noise (as NIST NVD haven't tagged it to a product anyway, likely due to their resourcing problems)
Thx for your patience @jodastephen !
Does 2.12.7 fixed CVE-2024-23080 ?