Vulnerability reported in version 4.2.1

[anttiSalmivaara]

NVD check reports CVE-2022-40152 found in stax2-api version 4.2.1

[cowtowncoder]

But isn't that against Woodstox? Stax2-api has no dependency on Woodstox: Woodstox implements stax2-api, not the other way around.

So I don't see how this could be accurate.

[jpoikela]

owasp check gives this now:

Warning:  

One or more dependencies were identified with known vulnerabilities in NNNN:

stax2-api-4.2.1.jar (pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1, cpe:2.3:a:fasterxml:woodstox:4.2.1:*:*:*:*:*:*:*) : CVE-2022-40152

See the dependency-check report for more details.

and mvn repository also points here
https://mvnrepository.com/artifact/org.codehaus.woodstox/stax2-api/4.2.1

can you @cowtowncoder confirm that this information is inaccurate

[cowtowncoder]

@jpoikela Yes, this is inaccurate. Someone should actually point out WHAT SPECIFICALLY is supposed to be the problem with stax2-api. But there seem to be severe issues with many of these submissions with bad metadata, incorrect applicability etc.

I think whoever added applicability did not really know what they were doing. :-(

(Tekisi melkein mieli ehdottaa että "taas joku saatanan tunari asialla" mutta ehkäpä on jotain lieventäviä asianhaaroja :) )