Bug#1059726: jline3: CVE-2023-50572

Emmanuel Bourg ebourg at apache.org
Thu Jun 11 22:28:06 BST 2026


Control: found -1 3.14.0


Le 30/12/2023 à 21:13, Salvatore Bonaccorso a écrit :
> Source: jline3
> Version: 3.3.1-3
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for jline3.
> 
> CVE-2023-50572[0]:
> | An issue in the component GroovyEngine.execute of jline-groovy
> | v3.24.1 allows attackers to cause an OOM (OutofMemory) error.
> 
> Now I'm not completely sure about the assessment. The code in 3.3.1
> got some refactoring in laeter version and the upstream commit from
> 3.25.0 fixing the issue would not apply cleanly, but I'm not 100%
> convinced htat the issue is only introduced later. Please double check
> that. In case not, where was the issue introduced, can we pin-point
> that?

Groovy support was introduced in JLine 3.14.0 [1], so our old 3.3.1 
version is not affected by CVE-2023-50572.

Emmanuel Bourg

[1] https://github.com/jline/jline3/commit/5e0eb5e2



More information about the pkg-java-maintainers mailing list