False Negative for Hibernate Validator CVE-2014-3558

[albuch]

False negative on library hibernate-validator-5.0.3.Final.jar - reported as cpe:/a:hibernate:hibernate_validator:5.0.3

<dependency>
   <groupId>org.hibernate</groupId>
   <artifactId>hibernate-validator</artifactId>
   <version>5.0.3.Final</version>
</dependency>

Should be reported as CVE-2014-3558.

Not sure though if the Vulnerable software and versions configuration at NVD is the issue.

[jeremylong]

This is an interesting false positive due to the data in the NVD entry. The only good solution I can think of is to parse the description to enhance the "x.x.x before x.x.x, x.x.x before x.x.x, ...". This is a somewhat common description so it may help make other CVEs more accurate.

[jeremylong]

The patches put in place resolve this issue. A longer term plan was opened as issue #646. Again, thanks for pointing this issue out.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.