New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: spring-core-5.3.19.jar CVE-2016-1000027 #4558
Comments
Maven Coordinates <dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>5.3.19</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #4558
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-core@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_framework</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2419868460 |
I also stumbled over this vulnerability. In the Spring Repo there is a discussion ongoing: spring-projects/spring-framework#24434 After reading the thread I think this is not a false positive because the vulnerability is there and was only removed in the Spring 6.x branch. For version 4.x and 5.x only the user can decide if the vulnerability may be used by an attacker: https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker |
A suppression of this FP (for among others spring-core) is scheduled for the next release. You can use a similar suppression until it's released: <suppress>
<notes><![CDATA[
Issue is in spring-web and will only be fixed by Spring in their next major release.
So suppressing it for the spring-framework components other than spring-web.
https://github.com/spring-projects/spring-framework/issues/25379 (deprecation only in current 5.x versions)
https://github.com/spring-projects/spring-framework/commit/5822f1bf85b94fd15f9829914b065b1c61910c7d (removal in 6.0.0-M1)
]]></notes>
<packageUrl regex="true">^pkg:maven/(?!org\.springframework/spring\-web@).*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress> |
Package URl
pkg:maven/org.springframework/spring-core@5.3.19
CPE
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.0
CVE
CVE-2016-1000027
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
7.1.0
Description
According to https://nvd.nist.gov/vuln/detail/CVE-2016-1000027#VulnChangeHistorySection the cpe version range was recently changed to 6.0.0 but it is not clear why. The description text still mentions 5.3.16.
The text was updated successfully, but these errors were encountered: