CVE-2023-44794 on spring_framework

[vincenzo-scia]

According to NIST NVD, spring_framework 6.0.17 (or more in general spring_framework > 5.3.0) is affected by CVE-2023-44794 (source: https://nvd.nist.gov/vuln/detail/CVE-2023-44794). However, DependencyCheck Maven (version 7.4.4) is not reporting this CVE for spring_framework 6.0.17.

Question: do you marked this as a false positive on the basis of what stated in this issue spring-projects/spring-framework#31862?

[OrangeDog]

https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-suppression.xml is the bundled suppressions file. I see nothing that would suppress this if it were being incorrectly detected.

[aikebah]

DependencyCheck Maven (version 7.4.4)

is massively outdated and unsupported. Upgrade to latest 9.x and check again.

[aikebah]

Also note that NIST does not mark Spring framework as affected, but Sa-Token when running on Spring

[vincenzo-scia]

Also note that NIST does not mark Spring framework as affected, but Sa-Token when running on Spring

Correct, thank you. What led me astray was the detail page of cpe:2.3:a:vmware:spring_framework:6.0.17 which (in my eyes) seemed to ascribe CVE-2023-44794 directly to Spring Framework:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&isCpeNameSearch=true&seach_type=all&query=cpe:2.3:a:vmware:spring_framework:6.0.17

The detail page of CVE-2023-44794 explains more precisely what you stated above.