Bug 2274494 (CVE-2024-23076)
| Summary: | CVE-2024-23076 jfreechart: Null pointer exception | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | ybuenos |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adupliak, aileenc, asatyam, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, cmiranda, csutherl, darran.lofthouse, dhanak, diagrawa, dkreling, dosoudil, drichtar, fjuma, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jclere, jkoops, jrokos, jscholz, kverlaen, lgao, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pcongius, pdelbell, pdrozd, peholase, pjindal, plodge, pmackay, pskopek, rguimara, rkieley, rmartinc, rowaters, rstancel, rstepani, sabiswas, saroy, smaestri, sthorger, swoodman, szappis, tom.jenkinson, zbyszek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A NULL pointer exception vulnerability was found in Freechart. In the method generateLabelString, if the dataset parameter is NULL, a NULL pointer exception is thrown.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2274496, 2274497, 2274498 | ||
| Bug Blocks: | 2274511 | ||
|
Description
ybuenos
2024-04-11 11:45:55 UTC
Created bionetgen tracking bugs for this issue: Affects: epel-all [bug 2274496] Affects: fedora-all [bug 2274497] Created jfreechart tracking bugs for this issue: Affects: fedora-all [bug 2274498] Hi, I think we need to be careful about all these NPE security issues opened in random Java Open Source projects lately. They are most probably generated by an AI and invalid: passing null as a parameter and getting a NPE is not surprising at all and most of the time won't lead to any security issue. For instance, see Joda Time's response for a similar "CVE" open recently: https://www.joda.org/joda-time/security.html ** DISPUTED ** Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification. Posting here but I saw several others coming. Yeah. A NullPointerException in Java is just an exception, and that usually means that either the calling code will catch it and possibly display an error dialogue, or not catch it and the program will terminate with a backtrace. It may be a _bug_, but it hardly seems relevant for security. Non Security Issue: https://github.com/jfree/jfreechart/issues/396 |