Multiple vulnerabilities in jfreechart to be solved in both 1.5.x (with JDK 1.8) and 2.x (with JDK >= 1.11)?

[marekwisnia]

Hi

Are the below CVEs: https://nvd.nist.gov/vuln/detail/CVE-2023-52070 https://nvd.nist.gov/vuln/detail/CVE-2024-22949 https://nvd.nist.gov/vuln/detail/CVE-2024-23076 https://nvd.nist.gov/vuln/detail/CVE-2024-23077

planned to be solved in 1.5.x family (hence with JDK 1.8 support) or ONLY in 2.0 family (JDK >= 11 and higher) OR BOTH?

BR/ Marek

[tarioch]

Pretty sure all of those are bogus. I see that they are already under dispute. I think @LLM4IG is running a tool and automatically reporting things which I in most cases aren't real vulnerabilities (especially in the context of Java libraries). If you look at the reported things, it's things like

"Method draw(Graphics2D g2, CategoryPlot plot, Rectangle2D dataArea, CategoryAxis domainAxis, ValueAxis rangeAxis) on line 287 in org/jfree/chart/annotations/CategoryLineAnnotation. java throws a NullPointerception if argument plot is null."

Yeah, if you don't use the library correctly you might get an NullPointerexception or an ArrayIndexOutOfBounds, that doesn't mean that this is a security vulnerability.

[tarioch]

Just found a ticket with more info and even better explanations #396