Incorrect vulnerability details CVE-2022-2191 #308
Comments
msymons
changed the title
|
I emailed webtide security and received a response in less than 10 minutes...
ie, this confirms that versions lower than 10.0.0 are not affected by this vulnerability |
|
The github advisory database version has had it's version range updated a few minutes ago ... |
|
For the record, I'm the one that responded to @msymons from "webtide security" portion of his comment with that exact text that he copy/pasted into this issue. |
|
Looks like our researchers got at this one already. Looking at the chart here seems to indicate the issue has been resolved: https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-io |
|
@ken-duck, now what we need is for MITRE to support SWID or PURL so that these kinds of problems can be more easily avoided. I so hate CPE. |
|
@ken-duck, the issue has been resolved for |
Vulnerability URL
Component URL
One example of many...
Description
The OSSI text for vulnerability CVE-2022-2191 states "In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions..." and yet OSSI is incorrectly matching against versions before 10.0.0
If the matching against (say) v9.4.43.v20210629 is deemed to be correct based on internal Sonatype research then the OSSI description text needs to be updated to make this explicitly clear.
I have dug into the GHSA advisories and things are confusing there. The one published in Jetty repo differs that the "official" GHSA... although both have the same id.
"Offical":
https://github.com/advisories/GHSA-8mpp-f3f7-xc28(< 10.0.10, >= 11.0.0, < 11.0.10)"Jetty":
https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28(10.0.0 to 10.0.9, 11.0.0 to 11.0.9)Also, note that both report that the vulnerability affects
jetty-serverand notjetty-io.The text was updated successfully, but these errors were encountered: