Re: CVE's are not picked up with dependency-check version: 5.3.2

[Jeremy Long]

The NVD indicates that CVE-2021-22112 only affects version 5 - as such, version 4.x of spring-security should not get flagged.

Regarding json-smart - yes, there was a defect and a fix has been created and will be included in the next release of ODC.

--jeremy

On Fri, May 7, 2021 at 2:21 AM Kiran Hariyapuraju <hariya...@gmail.com> wrote:

Hi Team,

We are currently using dependency-check version: 5.3.2. There are CVE's listed

against the below libraries when seen in NVD but the report does not show them. Attached the report.

json-smart-2.2.1.jar - https://nvd.nist.gov/vuln/detail/CVE-2021-27568
spring-security-web-4.2.19.RELEASE.jar - https://nvd.nist.gov/vuln/detail/CVE-2021-22112

Thanks,

Kiran

[Kiran Hariyapuraju]

Hi Jeremy,

Thanks for the reply. In  CVE-2021-22112 it has been said as 'older unsupported versions".  Thought 4.x comes under older

supported versions. Please correct me if i am wrong.

"Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE,
and older unsupported versions can fail to save the SecurityContext
if it is changed more than once in a single request."

Thanks,

Kiran

[Hans Aikema]

Based on what I can find online your understanding than any version <5.2.9 is affectes is correct. I'll send a report to NVD that their current listing is inaccurate according to the vendor report that they already included in the references.

Should resolve itself once NIST gets around to review and processes my feedback by an update of the NIST NVD datafeed.

Hans Aikema, direct vanuit de iCloud

Op 10 mei 2021 om 06:57 heeft Kiran Hariyapuraju <hariya...@gmail.com> het volgende geschreven:



--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/CAG9CBnqYvzsJVZLDzN_sWdNb_isv7LqpCRm%2BWuZLM7XKt1S8GQ%40mail.gmail.com.