Synopsis Black duck vulnerability report

Question

Synopsis Black duck vulnerability report

jadelekekpmg opened this issue 3 years ago · 3 comments

CVE-2020-7791

Synopsis Black duck is reporting a vulnerability with ruby-i18n1.8.11

Description
This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs.

The weird part is that the referenced description is talking about a .cs file.
Is Blackduck reporting a false positive here?

Digging deeper, it also says it is fixed here: turquoiseowl/i18n@c418e33

Which is a totally different project.

I am confused.

Answer 1 · 2022-01-05T21:45:05.000Z

I don’t see where Ruby i18n is reported there at all. I guess they’ve updated it?

Answer 2 · 2022-01-06T13:02:49.000Z

Hello @radar ,
Please see the attached image for the reported issue by BlackDuck.
The Description Says:
Description
This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs.

View CVE record:

I wonder if this is a false positive report?
Thanks,

Answer 3 · 2022-01-06T20:16:35.000Z

Perhaps there is more than one project in the world called “i18n”

…

On 7 Jan 2022, 00:03 +1100, jadelekekpmg ***@***.***>, wrote: Hello @radar , Please see the attached image for the reported issue by BlackDuck. The Description Says: Description This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs. View CVE record: I wonder if this is a false positive report? Thanks, — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: ***@***.***>