Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: CVE-2022-2191 on wrong version range #4663

Closed
tisonkun opened this issue Jul 9, 2022 · 5 comments
Closed

[FP]: CVE-2022-2191 on wrong version range #4663

tisonkun opened this issue Jul 9, 2022 · 5 comments
Labels
FP Report

Comments

@tisonkun
Copy link

tisonkun commented Jul 9, 2022
edited

Package URl

pkg:maven/org.eclipse.jetty/jetty-io@9.4.44.v20210927

CPE

Unknown

CVE

CVE-2022-2191

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.1.0

Description

It seems CVE-2022-2191 affects 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions. However, a failure is reported on 9.4.44.

2022-07-09T06:27:11.1110967Z [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project pulsar: 
2022-07-09T06:27:11.1111785Z [ERROR] 
2022-07-09T06:27:11.1113011Z [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
2022-07-09T06:27:11.1113393Z [ERROR] 
2022-07-09T06:27:11.1131241Z [ERROR] jetty-io-9.4.44.v20210927.jar: CVE-2022-2191(7.5)
2022-07-09T06:27:11.1132172Z [ERROR] 
2022-07-09T06:27:11.1132678Z [ERROR] See the dependency-check report for more details.
2022-07-09T06:27:11.1133006Z [ERROR] -> [Help 1]
2022-07-09T06:27:11.1133213Z [ERROR] 
2022-07-09T06:27:11.1133602Z [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
2022-07-09T06:27:11.1134066Z [ERROR] Re-run Maven using the -X switch to enable full debug logging.
2022-07-09T06:27:11.1134338Z [ERROR] 
2022-07-09T06:27:11.1134687Z [ERROR] For more information about the errors and possible solutions, please read the following articles:
2022-07-09T06:27:11.1135145Z [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
2022-07-09T06:27:11.1135454Z [ERROR] 
2022-07-09T06:27:11.1135753Z [ERROR] After correcting the problems, you can resume the build with the command
2022-07-09T06:27:11.1136134Z [ERROR]   mvn <args> -rf :pulsar
@tisonkun tisonkun changed the title [FP]: [FP]: CVE-2022-2191 on wrong version range Jul 9, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Jul 9, 2022

Error parsing package url: jetty-io-9.4.44.v20210927.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

@github-actions
Copy link
Contributor

github-actions bot commented Jul 9, 2022

Error parsing package url: jetty-io-9.4.44.v20210927.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

@aikebah
Copy link
Collaborator

aikebah commented Jul 9, 2022
edited

Will likely be resolved in the vulnerability sources once the advisory updates get processed by them.

jetty/jetty.project#8161 (comment)

@joakime
Copy link

joakime commented Jul 11, 2022

See prior comments about version range, and jetty managed advisory (the master database at github has not been updated yet):

Also, Jetty 9.4.x is now at End of Community Support, you are strongly encouraged to upgrade to Jetty 10+ as soon as possible.

See:

@tisonkun
Copy link
Author

Thank you! Closed as upstream fix this false positive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joakime @aikebah @tisonkun