Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: CVE-2022-41852 has been rejected #5092

Open
RomRom1 opened this issue Nov 25, 2022 · 5 comments
Open

[FP]: CVE-2022-41852 has been rejected #5092

RomRom1 opened this issue Nov 25, 2022 · 5 comments
Labels
FP Report maven changes to the maven plugin ossindex Label for issues that relate to the OSSIndex API

Comments

@RomRom1
Copy link

RomRom1 commented Nov 25, 2022

Package URl

pkg:maven/commons-jxpath/commons-jxpath@1.3

CPE

cpe:2.3:a:apache:commons_jxpath:1.3:::::::*

CVE

CVE-2022-41852

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.3.2

Description

CVE-2022-41852 has been rejected

This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue

Present in spring-cloud-netflix-eureka-client v3.1.4 ( cf. Netflix/eureka#1471 )

[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:3.1.4:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:3.1.4:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:1.10.17:compile
[INFO] |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:compile
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime
@github-actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>commons-jxpath</groupId>
   <artifactId>commons-jxpath</artifactId>
   <version>1.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5092
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3547275815

@github-actions github-actions bot added the maven changes to the maven plugin label Nov 25, 2022
@github-actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>commons-jxpath</groupId>
   <artifactId>commons-jxpath</artifactId>
   <version>1.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5092
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3547368448

@aikebah aikebah added the ossindex Label for issues that relate to the OSSIndex API label Nov 26, 2022
@aikebah
Copy link
Collaborator

aikebah commented Nov 26, 2022

Something you should take up with the vulnerability source - Sonatype OSSIndex. As their researchers link package-URLs to vulnerabilities their researchers are either not aware of it, or they disagree with the analysis that it's not a security vulnerability. Best course forward would be opening a ticket for it at https://github.com/OSSIndex/vulns (which is known to sometimes take a while to get responses).

Also note the discussions on the related github issue: there is a big security risk in the library when you use it to process XPaths (partly) based on untrusted inputs

@github-actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>commons-jxpath</groupId>
   <artifactId>commons-jxpath</artifactId>
   <version>1.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5092
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3563743697

@RomRom1
Copy link
Author

RomRom1 commented Nov 28, 2022

@aikebah Thanks for your advice !

To go further : apache/commons-jxpath#25 & apache/commons-jxpath#26

In particular case of Eureka Client, an issue has been opened : Netflix/eureka#1471

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FP Report maven changes to the maven plugin ossindex Label for issues that relate to the OSSIndex API
Projects
None yet
Development

No branches or pull requests

2 participants