Vulnerable Code

[ashutoshbabu]

CVE-2023-52070 (OSSINDEX)

JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the 'setSeriesNeedle(int index, int type)' method. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-129 Improper Validation of Array Index

CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:
OSSINDEX - [CVE-2023-52070] CWE-129: Improper Validation of Array Index
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52070
OSSIndex - https://gist.github.com/LLM4IG/f55de46e65fb5a19b7815adb36fd858b
Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.jfree:jfreechart:1.5.4

CVE-2024-22949 (OSSINDEX)

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-476 NULL Pointer Dereference

CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:
OSSINDEX - [CVE-2024-22949] CWE-476: NULL Pointer Dereference
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22949
OSSIndex - https://gist.github.com/LLM4IG/35c46e009b205ef6acd0e290e80fb876
Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.jfree:jfreechart:1.5.4

CVE-2024-23076 (OSSINDEX) suppress

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-476 NULL Pointer Dereference

CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:
OSSINDEX - [CVE-2024-23076] CWE-476: NULL Pointer Dereference
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23076
OSSIndex - GHSA-cf2p-hqc9-vhmw
Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.jfree:jfreechart:1.5.4

Evidence

Type | Source | Name | Value | Confidence -- | -- | -- | -- | -- Vendor | file | name | jfreechart | High Vendor | jar | package name | jfree | Highest Vendor | jar | package name | jfreechart | Highest Vendor | jar | package name | range | Highest Vendor | jar | package name | series | Highest Vendor | jar | package name | time | Highest Vendor | jar | package name | xy | Highest Vendor | Manifest | automatic-module-name | org.jfree.jfreechart | Medium Vendor | Manifest | build-jdk-spec | 19 | Low Vendor | pom | artifactid | jfreechart | Low Vendor | pom | developer email | [email protected] | Low Vendor | pom | developer name | David Gilbert | Medium Vendor | pom | groupid | org.jfree | Highest Vendor | pom | name | JFreeChart | High Vendor | pom | organization name | JFree.org | High Vendor | pom | organization url | http://www.jfree.org/ | Medium Vendor | pom | url | http://www.jfree.org/jfreechart/ | Highest Product | file | name | jfreechart | High Product | jar | package name | jfree | Highest Product | jar | package name | jfreechart | Highest Product | jar | package name | range | Highest Product | jar | package name | series | Highest Product | jar | package name | time | Highest Product | jar | package name | xy | Highest Product | Manifest | automatic-module-name | org.jfree.jfreechart | Medium Product | Manifest | build-jdk-spec | 19 | Low Product | pom | artifactid | jfreechart | Highest Product | pom | developer email | [email protected] | Low Product | pom | developer name | David Gilbert | Low Product | pom | groupid | org.jfree | Highest Product | pom | name | JFreeChart | High Product | pom | organization name | JFree.org | Low Product | pom | organization url | http://www.jfree.org/ | Low Product | pom | url | http://www.jfree.org/jfreechart/ | Medium Version | file | version | 1.5.4 | High Version | pom | version | 1.5.4 | Highest

[trashgod]

See also issue #399 and #396. More here.

[tracylynne99]

Can I be nitpicky and complain about the wording of this thing too? Should be "throws" not "contains" a NullPointerException lol.

[jfree]

I don't believe any of these are genuine security vulnerabilities. I added the following to the README for the v1.5.5 release:

Note: some (supposed) security vulnerabilities have been reported for v1.5.4:

• CVE-2023-52070 : an ArrayIndexOutOfBoundsException in CompassPlot
  No fix is considered necessary, however (#397) has been applied.

• CVE-2024-22949 : a possible NullPointerException in CategoryLineAnnotation
  No fix is considered necessary.

• CVE-2024-23076 : a possible NullPointerException in BubbleXYItemLabelGenerator
  No fix is considered necessary.