New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-44794 on spring_framework #6612
Comments
https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-suppression.xml is the bundled suppressions file. I see nothing that would suppress this if it were being incorrectly detected. |
is massively outdated and unsupported. Upgrade to latest 9.x and check again. |
Also note that NIST does not mark Spring framework as affected, but Sa-Token when running on Spring |
Correct, thank you. What led me astray was the detail page of cpe:2.3:a:vmware:spring_framework:6.0.17 which (in my eyes) seemed to ascribe CVE-2023-44794 directly to Spring Framework: The detail page of CVE-2023-44794 explains more precisely what you stated above. |
According to NIST NVD, spring_framework 6.0.17 (or more in general spring_framework > 5.3.0) is affected by CVE-2023-44794 (source: https://nvd.nist.gov/vuln/detail/CVE-2023-44794). However, DependencyCheck Maven (version 7.4.4) is not reporting this CVE for spring_framework 6.0.17.
Question: do you marked this as a false positive on the basis of what stated in this issue spring-projects/spring-framework#31862?
The text was updated successfully, but these errors were encountered: