Is ReDos seen as bug/vulnerability?
Raffaello Giulietti
raffaello.giulietti at oracle.com
Fri Jan 27 12:55:54 UTC 2023
Please file a bug report with the relevant (and disclosable) details.
From: core-libs-dev <core-libs-dev-retn at openjdk.org> on behalf of David Schumann <david at dev-core.org>
Date: Friday, 27 January 2023 at 12:50
To: core-libs-dev at openjdk.org <core-libs-dev at openjdk.org>
Subject: Is ReDos seen as bug/vulnerability?
Hello,
during a PenTest we found a ReDos issue in the JRE which causes Matcher.matches() to go into an endless loop. Is such an issue considered a bug for the JDK team (aka should I file a bug report)? Or is such an issue considered "by design"?
The issue appears in current JRE versions (tested with 17 and 21)
Best Regards,
David Schumann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/core-libs-dev/attachments/20230127/699a3956/attachment.htm>
More information about the core-libs-dev
mailing list