False positive on icu4j? CVE-2018-18928 applies to c/c++ icu code not icu4j

Question

False positive on icu4j? CVE-2018-18928 applies to c/c++ icu code not icu4j

Closed this issue 3 years ago · 1 comments

ossindex is citing CVE-2018-18928 for:

com.ibm.icu
icu4j
62.2

That CVE seems to point to a bug in the c/c++ code, not the Java port. Is this a misattribution to the icu4j artifact? Or is this user error on my part. Thank you.

Answer 1 · 2022-06-30T16:39:13.000Z

Sorry. My mistake. Java is implicated in the patch: unicode-org/icu@6cbd62e