[FP]: Very old CVE-2014-3576 detected for Apache ActiveMQ 5.17.0 #6474
Comments
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7933177995 |
|
your package is likely sone private package. FPs for such nane collisions are to be expected(see the documentation of DependencyCheck) and dealt with internally for non-public artifacts |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/xx-activemq-log-plugin@2.112.2
CPE
cpe:2.3:a:apache:activemq:2.112.2:::::::*
CVE
CVE-2014-3576
ODC Integration
None
ODC Version
8.4.3
Description
The CVE-2014-3576 was detected and reported by Owasp Dependency Check scan for Aapche ActiveMQ 5.17.0. The vulnerability description clearly states that the vulnerability exists in Apache ActiveMQ 5.x before 5.14.0. This is because, in the application code, xx-activemq-log-plugin takes the version as the project version. The Owasp Dependency report is picking and detecting it as ActiveMQ version and reporting the CVE in the scan report. Therefore, it is a false positive.
The text was updated successfully, but these errors were encountered: