Closed kellyselden closed 2 years ago
ken-duck
commented
2 years ago Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.
This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
ken-duck
commented
2 years ago Deep dive research determined the fix provided by the project to be insufficient and this has been stated in the Advisory deviation notice in the explanation.
The Sonatype security research team discovered that the fix for this vulnerability provided in version 1.23.0 was incomplete and that it is still possible to trigger catastrophic backtracking with a larger input in versions 1.23.0 and later. The developers suggested on this issue that they would not provide additional fixes for this vulnerability.
kellyselden
commented
2 years ago Thanks for the context!
Vulnerability URL Provide the URL to the vulnerability. For example:
Component URL Provide the URL to the component. For example:
Description According to https://github.com/PrismJS/prism/pull/2584, this was fixed in 1.23.0.