Depedency-Check is reporting a CVE in Microsoft.VisualStudio.Telemetry dll
But when we look at raw output and we have below link
found out that there is no vulnerability present in the mentioned dll file, but the same component is marked as Vulnerable as per logs:
{
"id" : "pkg:generic/Microsoft.Visual...@15.8.956",
"confidence" : "MEDIUM",
"url" : "https://ossindex.sonatype.org/component/pkg:generic/Microsoft.Visual...@15.8.956?utm_source=dependency-check&utm_medium=integration&utm_content=6.0.3"
} ],
"vulnerabilityIds" : [ {
"id" : "cpe:2.3:a:microsoft:visual_studio:15.8.956:::::::*",
"confidence" : "LOW"
} ],
"vulnerabilities" : [ {
"source" : "NVD",
"name" : "CVE-2014-3802",
"severity" : "MEDIUM",
"cvssv2" : {
"score" : 6.8,
"accessVector" : "NETWORK",
"accessComplexity" : "MEDIUM",
"authenticationr" : "NONE",
"confidentialImpact" : "PARTIAL",
"integrityImpact" : "PARTIAL",
"availabilityImpact" : "PARTIAL",
"severity" : "MEDIUM",
"version" : "2.0",
"exploitabilityScore" : "8.6",
"impactScore" : "6.4",
"userInteractionRequired" : "true"
}
We are scanning IIS Express Folder(C:\Program Files\IIS Express)
IIS Express Version : 10.0.19041.1
OS : Windows 2019 Server