Bugzilla – Bug 1222690
VUL-0: CVE-2024-23080: joda-time: null pointer exeption via the component org.joda.time.format.PeriodFormat::wordBased(Locale)
Last modified: 2024-05-06 17:52:35 UTC
Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23080 https://www.cve.org/CVERecord?id=CVE-2024-23080 http://joda.com https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f https://github.com/JodaOrg/joda-time https://bugzilla.redhat.com/show_bug.cgi?id=2274516
It has been a while since upstream has made any updates to the src/main/java/org/joda/time/format/PeriodFormat.java file, which contains the vulnerable code. It is, therefore, likely that as of 2024-04-11 there is no available fix for this issue.
(In reply to Camila Camargo de Matos from comment #2) > It has been a while since upstream has made any updates to the > src/main/java/org/joda/time/format/PeriodFormat.java file, which contains > the vulnerable code. It is, therefore, likely that as of 2024-04-11 there is > no available fix for this issue. Also, the CVE is disputed by a number of third parties. So, I did not act, because we might be patching non-existing vulnerability. When you look here https://www.joda.org/joda-time//security.html, you will realize that: "CVE-2024-23080 This was raised publicly on 2024-04-10. There was no prior warning or private disclosure. The CVE is nonsense. It was raised by an AI-driven bot. The CVE describes that a NullPointerException is thrown when null is passed into a method. As any Java developer knows, this is perfectly normal and not a security issue or CVE. Users of Joda-Time do not need to take any action as the CVE is invalid."