Are these false positives? #2184
Comments
|
you are unclear for which vulnerability a false positive is reported, eg. CVE-2019-14379 is fixed in 2.8.11.4 according to FasterXML/jackson-databind#2387 and https://nvd.nist.gov/vuln/detail/CVE-2019-14379 |
|
struts2-core 2.3.37 reported CVE-2018-1327. |
|
CVE-2018-1327 is a FP for struts2-core, as it is a vulnerabiltiy in struts2-rest-plugin; both share the same cpe at NVD. CVE-2018-1000873 is not a FP according to NVD analysis report. It reports all versions up to excluding 2.9.8 as vulnerable. CVE-2018-14719 is a FP, for 2.8.x only 2.8.0 up to excluding 2.8.11.3 are vulnerable according to NVD analysis |
|
@Nriver Note that CVE-2018-1000873 is indicated as a won't fix for 2.8.x in the corresponding jackson github issue. So upgrading that library to 2.9.8+ is the only solution for that CVE. |
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11.4
cpe:2.3:a:fasterxml:jackson:2.8.11.4:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:2.8.11.4:*:*:*:*:*:*:*https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.37
cpe:2.3:a:apache:struts:2.3.37:*:*:*:*:*:*:*On maven repo, the developer seems to be maintainting multiple branches at the same time. I find that these old branches got updates as the latest one does(according to the date). I think they have fixed the vulnerabilities for them.
The text was updated successfully, but these errors were encountered: