Comment 1 Brian Evans (RETIRED) 2021-11-18 15:46:20 UTC

(In reply to John Helmert III from comment #0)
> Not much insight as to security impact here, "special character is breaking
> the path in xml function". Anyway, fixed in 7.4.26 and 7.3.33. Please
> stabilize when ready.

Personally think this CVE is a bit silly.  Reporter claims that "%00" added to the end of an XML file load should fail when it is just stripped after decoding.  Waiting on 8.0 slot to appear before continuing

Comment 2 John Helmert III 2021-11-18 18:50:47 UTC

(In reply to Brian Evans from comment #1)
> (In reply to John Helmert III from comment #0)
> > Not much insight as to security impact here, "special character is breaking
> > the path in xml function". Anyway, fixed in 7.4.26 and 7.3.33. Please
> > stabilize when ready.
> 
> Personally think this CVE is a bit silly.  Reporter claims that "%00" added
> to the end of an XML file load should fail when it is just stripped after
> decoding.  Waiting on 8.0 slot to appear before continuing

That was my perception too, but wanted to wait for maintainer feedback. Reporter does say "If this patch has been implemented then I would like to request CVE for this please. It would be helpful for my resume/CV", which doesn't bode well for the validity of the "vulnerability".

Comment 3 John Helmert III 2022-08-16 19:36:45 UTC

Oops, tree is clean. All done.