We were alerted of a vulnerability in our application due to CVE-2015-5209 (an issue with Struts2) via an outside entity. Dependency Check did not pick up this CVE. I reviewed the NVD and CVE websites. NVD does not list this CVE. The CVE web site has a place holder for this CVE. The apache Struts2 project page does list the vulnerability. The same applies for CVE-2015-5169.
Is it common for a CVE to be reserved but not completed? Would this be a lapse on Apaches part for not backfilling the CVE DB?
Thanks
Bill D.
Jeremy,
Thanks for clarification, looks like Apache is lagging a little on the updates. I’ve been reviewing other Vuln DBs to get a feel for what is available. Links to OSVDB from the CVE site are all broken, do you know what has happened to the OSVDB? Their blog is an interesting read, but that is all I can get to on their site.
Thanks
Bill
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.