Open Nyhtfury opened 3 months ago
Please confirm whether only libexpat needs to be updated due to the CVE-xxx
Please confirm whether only libexpat needs to be updated due to the CVE-xxx
@lanewei120 per the CVE: "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context."
Thus, my understanding is that only libexpat needs to be updated to address CVE-2022-25235.
@Nyhtfury I will try to update Expat
Bambu Studio Version
1.9.1
Where is the application from?
Bambu Lab github releases
OS version
Windows 10 & 11
Additional system information
No response
Printer
Bambu Lab X1E (proposed)
How to reproduce
See the CVE here: https://www.mend.io/vulnerability-database/CVE-2022-25235
Actual results
My IT department will not allow this program with a critical remote execution vulnerability due to the old version of Expat (i.e. libexpat) that Bambu Studio is being built with. As a result, a printer is not being purchased.
Expected results
To resolve the RCE CVE, Expat (i.e. libexpat) must be updated to at least 2.4.5. I would also expect the code base to standardize on a version.
Project file & Debug log uploads
N/A
Checklist of files to include