Detected a few vulnerabilities - CVE-2021-29425/CVE-2020-8908

Question

Detected a few vulnerabilities - CVE-2021-29425/CVE-2020-8908

demolina76 opened this issue 3 years ago · 2 comments

Are the following vulnerabilities false positive?
CVE-2020-8908
CVE-2021-29425

For CVE-2020-8908, it is regarding the Guava API com.google.common.io.Files.createTempDir(). Although I was not able to find any references of this method in the source, can we confirm that it is not used? The dependency is included in the jmxterm-1.0.2-uber.jar file though.

For CVE-2021-29425, it is regarding the FilenameUtils.normalized method in the Apache commons-io versions older than 2.7. I do see that this has been changed from 2.6 to 2.7 in the POM, yet the current available jar doesn't have this change. Also I was not able to find the method mentioned in the source either.

Thank you in advance.

Answer 1 · 2022-05-27T17:34:35.000Z

security scanners at our customer report jmxterm as being vulnerable to these CVEs. While our analysis makes us think these are false positives, we are hoping the jmxterm developers can help us confirm this.
A new release of jmxterm would also help - as we see that #97 bumps commons.io from 2.6 to 2.7 - but this isn't yet released. Any ETA for a new release that might help address these security scanner warnings? We like to be able to recommend jmxterm to our customers. Thank you!

Answer 2 · 2022-08-06T23:28:38.000Z

A new version 1.0.3 is released.