search

OSSIndex / vulns

Report missing advisories and corrections on OSS Index
17 stars 12 forks source link

Incorrect vulnerability CVE-2018-14335 for com.h2database:h2:jar:2.1.212 #277

Closed krah034 closed 2 years ago

krah034 commented 2 years ago

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2018-14335?component-type=maven&component-name=com.h2database%2Fh2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

Component URL

https://ossindex.sonatype.org/component/pkg:maven/com.h2database/h2@2.1.212?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

Description Today the BanVulnerableDependencies from ossindex-maven enforcer-rules started reporting the following vulnerability:

Detected 16 vulnerable components:
[...]
  com.h2database:h2:jar:2.1.212:test; https://ossindex.sonatype.org/component/pkg:maven/com.h2database/h2@2.1.212?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
    * [CVE-2018-14335] CWE-59: Improper Link Resolution Before File Access ('Link Following') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2018-14335?component-type=maven&component-name=com.h2database%2Fh2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
    * 1 vulnerability found (8.0); null

Only h2database:h2:1.4.197 should be affected by this CVE.

msymons commented 2 years ago

Reading the references listed by OSSI itself for this vuln, it can be confirmed that what is said above is correct... that this is an OSSI data defect.

ken-duck commented 2 years ago

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

In this case, the issues has already been resolved. The supplied links indicate that the vulnerability data has been corrected.

Thanks for your help!

THausherr commented 2 years ago

I'm wondering why this was reported in the Apache tika build for the very first time yesterday, despite that we have builds several times a week. And now I learned that this was fixed in July. Is there some sort of delay for people using ossindex-maven-plugin?