Hello,
I am currently using a library A which is dependent on other artifact B that uses htmlunit-neko 2.63.0 as a dependency and for this version my sonar instance reports CVE-2024-23635. The description of a CVE says that it is caused by scanStartElement and scanEndElement functions. The vulnerability was fixed with 3.11.0 version which introduced scanTagName function in place of scanName in both scanStartElement and scanEndElement.
Unfortunately, changing neko version is impossible due to differences between 2.63.0 and 3.11.0 versions and it causes various incompatibility errors, for example
org.apache.xerces.xni.XMLAttributes cannot be converted to org.htmlunit.cyberneko.xerces.xni.XMLAttributes
and so on...
Would it be possible to create patched version of 2.63.x, in that case it would be 2.63.1 with changes that I already prepared on my fork: https://github.com/DawidSobierajski/htmlunit-neko/tree/2_63_1
Diff: https://github.com/HtmlUnit/htmlunit-neko/compare/2.63.0...DawidSobierajski:htmlunit-neko:2_63_1?expand=1
Commit used for back porting: 55053e4
Thank you
Hello,
I am currently using a library
Awhich is dependent on other artifactBthat uses htmlunit-neko 2.63.0 as a dependency and for this version my sonar instance reports CVE-2024-23635. The description of a CVE says that it is caused byscanStartElementandscanEndElementfunctions. The vulnerability was fixed with 3.11.0 version which introducedscanTagNamefunction in place ofscanNamein bothscanStartElementandscanEndElement.Unfortunately, changing neko version is impossible due to differences between 2.63.0 and 3.11.0 versions and it causes various incompatibility errors, for example
and so on...
Would it be possible to create patched version of 2.63.x, in that case it would be 2.63.1 with changes that I already prepared on my fork: https://github.com/DawidSobierajski/htmlunit-neko/tree/2_63_1
Diff: https://github.com/HtmlUnit/htmlunit-neko/compare/2.63.0...DawidSobierajski:htmlunit-neko:2_63_1?expand=1
Commit used for back porting: 55053e4
Thank you