Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: spring-core-5.3.19.jar CVE-2016-1000027 #4558

Closed
urld opened this issue Jun 1, 2022 · 3 comments
Closed

[FP]: spring-core-5.3.19.jar CVE-2016-1000027 #4558

urld opened this issue Jun 1, 2022 · 3 comments
Labels
FP Report maven changes to the maven plugin
Milestone
7.1.1

Comments

@urld
Copy link

urld commented Jun 1, 2022

Package URl

pkg:maven/org.springframework/spring-core@5.3.19

CPE

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.0

CVE

CVE-2016-1000027

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.1.0

Description

According to https://nvd.nist.gov/vuln/detail/CVE-2016-1000027#VulnChangeHistorySection the cpe version range was recently changed to 6.0.0 but it is not clear why. The description text still mentions 5.3.16.
@urld urld added the FP Report label Jun 1, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Jun 1, 2022

Maven Coordinates

<dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-core</artifactId>
   <version>5.3.19</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4558
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework/spring-core@.*$</packageUrl>
   <cpe>cpe:/a:vmware:spring_framework</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2419868460

@github-actions github-actions bot added the maven changes to the maven plugin label Jun 1, 2022
@wolframhaussig
Copy link

I also stumbled over this vulnerability. In the Spring Repo there is a discussion ongoing: spring-projects/spring-framework#24434

After reading the thread I think this is not a false positive because the vulnerability is there and was only removed in the Spring 6.x branch. For version 4.x and 5.x only the user can decide if the vulnerability may be used by an attacker: https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker

@aikebah
Copy link
Collaborator

aikebah commented Jun 2, 2022

A suppression of this FP (for among others spring-core) is scheduled for the next release. You can use a similar suppression until it's released:

    <suppress>
        <notes><![CDATA[
   Issue is in spring-web and will only be fixed by Spring in their next major release.
   So suppressing it for the spring-framework components other than spring-web.
   https://github.com/spring-projects/spring-framework/issues/25379 (deprecation only in current 5.x versions)
   https://github.com/spring-projects/spring-framework/commit/5822f1bf85b94fd15f9829914b065b1c61910c7d (removal in 6.0.0-M1)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/(?!org\.springframework/spring\-web@).*$</packageUrl>
        <cve>CVE-2016-1000027</cve>
    </suppress>

@aikebah aikebah added this to the 7.1.1 milestone Jun 2, 2022
@aikebah aikebah closed this as completed Jun 11, 2022
@albuch albuch mentioned this issue Jun 28, 2022
Closed
@bclozel bclozel mentioned this issue Aug 22, 2022
Closed
@aikebah aikebah mentioned this issue Sep 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
7.1.1
Development

No branches or pull requests
3 participants
@aikebah @urld @wolframhaussig