Closed slipset closed 4 months ago
@slipset Hi Erik, thanks for pinging about this. Just double-checking - did you link to the correct CVE there?
I believe that's a pretty old issue, and it's not obvious from the linked page that that has anything to do with tools.reader?
Back in 2020, Nippy did have a related vulnerability via the same mechanism (java.io.Serializable
being susceptible to gadget chains).
The fix in Nippy's case was to switch to an explicit whitelist for Serializable classes.
It looks like this is maybe an old issue somehow getting dredged up, and being (incorrectly?) attributed to tools.reader
? I may be missing something though.
Closing since from what I can tell, this alert appears to refer to an old (2017) CVE that would have been resolved by Nippy in 2020. Please feel free to reopen if I've misunderstood something and this still seems to be relevant.
nippy depends on tools-reader 1.4.2 which has a CVE on it, CVE-2017-20189.
This is the latest version of tools-reader, so I guess this is just a FYI.