Is it a False Positive !

20 views
Skip to first unread message

Amit Agarwal

unread,
Jun 3, 2014, 3:21:38 AM6/3/14
to dependen...@googlegroups.com
Dear Jeremy, 

during a code scan, observed the following case

dependency in question : commons-fileupload-1.3.jar

Report recommended to upgrade to the latest jar which is  : commons-fileupload-1.3.1.jar

Did a rescan on the updated code base with latest jar.

The report still shows the vulnerable jar as commons-fileupload-1.3.1.jar

There is no latest version then the available commons-fileupload-1.3.1.jar as also mentioned on Apache website : http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1

Kindly throw some light on the case, if you can.

Thanks & Regards,

Amit Agarwal

Steve Springett

unread,
Jun 3, 2014, 10:06:38 AM6/3/14
to dependen...@googlegroups.com
Amit,

This is not a false positive. The CPEs for CVE-2014-0050 have the following entry:

cpe:/a:apache:commons_fileupload:1.3.1 and previous versions

As far as Dependency-Check is concerned, it flagged this correctly as being vulnerable. But in reality, it might be a data entry issue at NIST.

http://markmail.org/message/tb2kppzkhymbvxjz

—Steve


--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jeremy Long

unread,
Jun 12, 2014, 12:24:00 PM6/12/14
to Steve Springett, dependen...@googlegroups.com
Amit,

I believe the NVD data has been updated - you should no longer need a suppression file entry apache commons file upload 1.3.1.

--Jeremy
Reply all
Reply to author
Forward
0 new messages