search

Adobe-Consulting-Services / acs-aem-commons

http://adobe-consulting-services.github.io/acs-aem-commons/
Apache License 2.0
448 stars 594 forks source link

Adobe Indesign vulnerability #2641

Open JelleBouwmans opened 3 years ago

JelleBouwmans commented 3 years ago

Required Information

Expected Behavior

There should be no vulnerabilities.

Actual Behavior

When running the OWASP dependency check (v6.2.2, see links), the following new vulnerability is shown: acs-aem-commons-content-4.11.2-min.zip: acs-aem-commons-ui.apps-4.11.2.zip: acs-aem-commons-bundle-4.11.2.jar (pkg:maven/com.adobe.acs/acs-aem-commons-bundle@4.11.2, cpe:2.3:a:adobe:adobe_consulting_services_commons:4.11.2:*:*:*:*:*:*:*, cpe:2.3:a:adobe:dispatcher:4.11.2:*:*:*:*:*:*:*, cpe:2.3:a:adobe:form_designer:4.11.2:*:*:*:*:*:*:*, cpe:2.3:a:adobe:indesign:4.11.2:*:*:*:*:*:*:*) : CVE-2021-21098, CVE-2021-21099

[ERROR] One or more dependencies were identified with vulnerabilities: [ERROR] [ERROR] acs-aem-commons-content-4.11.2-min.zip: acs-aem-commons-ui.apps-4.11.2.zip: acs-aem-commons-bundle-4.11.2.jar: CVE-2021-21099, CVE-2021-21098

Steps to Reproduce

Deploy a project with the acs-aem-commons dependency and run an OWASP check.

Links

https://owasp.org/www-project-dependency-check/ https://github.com/jeremylong/DependencyCheck

kwin commented 3 years ago

This is a false positive as the affected library is not embedded in acs-aem-commons (https://nvd.nist.gov/vuln/detail/CVE-2021-21099#range-6776291). CPE matching does not seem to work correctly here: https://nvd.nist.gov/vuln/detail/CVE-2021-21099/cpes?expandCpeRanges=true

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.