search

OSSIndex / vulns

Report missing advisories and corrections on OSS Index
17 stars 12 forks source link

Incorrect vulnerability details in iText on CVE-2021-43113 #240

Open Lars5678 opened 2 years ago

Lars5678 commented 2 years ago

Our OWASP Dependency Check reports that we are using a vulnerable version using iText 2.1.7.

The info seems to come from your system.

While NIST reports that only versions > 7.0.0 are affected, your system reports that all versions < 7.1.7 are affected .

However, the affected class GhostscriptHelper.java only exists in versions > 7.0.0

Please check if the older versions are really affected or not.

ken-duck commented 2 years ago

Hi! Sorry for the delay, but I respond with good news.

OSS Index is going through a major upgrade, as described here: https://ossindex.sonatype.org/updates-notice

The most clear and obvious benefit is far fewer false negatives and false positives, and vulnerabilities will be added to the system on a much more frequent and rapid basis. Once the upgrade is completed you should see most (if not all) of the reported data issues be resolved.

haumacher commented 2 years ago

The problematic class was introduced in tText 7.1.12 with the following commit:

https://github.com/itext/itext7/commit/bdddc6196f490f3299fc385fd341705544f83035#diff-dafe2bff38773d6b38c497cdf5ee7eab575b0305d290f7dc2051c2f91522dead

The text of the report states "iTextPDF in iText before 7.1.17 allows command injection via..." which sounds reasonable to me because the version is greater than the version that introduces the problem. However, the technical version range seems to be also wrong regarding the fix version, because it is lower than the version that introduced the problem!

Therefore, the affected versions should be marked as [7.1.12, 7.1.17)

ken-duck commented 1 year ago

Very sorry for the delay. As you may have noticed, a number of issues have fallen through the cracks, and we are in the process of catching up and cleaning things up.

Thank you for your report. We are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users. I have moved your request to the internal tracking system and the research team will look into the issue shortly.

If you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org