Library vulnerable to CVE-2017-5929

Question

Library vulnerable to CVE-2017-5929

Opened this issue 6 years ago · 3 comments

james-carr-costain commented 6 years ago

This library has been identified as vulnerable to CVE-2017-5929, this is listed as a Critical severity issue. Please can this be resolved.

see https://nvd.nist.gov/vuln/detail/CVE-2017-5929

Found using dependency-check-maven https://jeremylong.github.io/DependencyCheck/dependency-check-maven/

Answer 1 · 2020-04-16T14:22:13.000Z

This was a false positive.
Fixed in
jeremylong/DependencyCheck#2594
which will be DependencyCheck v5.4.0.

The workaround in lower versions of DC is to define the suppression manually.
Here is sample suppression file:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress base="true">
        <notes><![CDATA[
        FP per #2594
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/.*$</packageUrl>
        <cpe>cpe:/a:logback:logback</cpe>
    </suppress>
</suppressions>

Answer 2 · 2021-05-04T12:43:13.000Z

I thought it would be necessary to upgrade ch.qos.logback dependencies from v1.1.3 to v1.2.0 ?

Answer 3 · 2021-06-28T08:41:10.000Z

I second that this should depend on logback 1.2.0 in order to fix that vulnerability.
Are there any plans to update the dependency?