Closed elastic-pangolin closed 1 year ago
Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.
This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
The CVE is wrong (really!) The CVE said the impacted versions (via the CPE) were up to and including 1.2.1, whereas the description says "django-celery-results through 1.2.1" -- this is because when the CVE was added there were no versions beyond 1.2.1, so there were no fixed versions.
Sonatype deep dive researchers have determined the vulnerability affects versions prior to 2.4.0
We will be upgrading OSS Index shortly to report when (and why!) our findings differ from NVD.
Vulnerability: https://ossindex.sonatype.org/vulnerability/CVE-2020-17495
Is reported for django-celery-results 1.0.2 to 2.3.1: https://ossindex.sonatype.org/component/pkg:pypi/django-celery-results
But officially affects 1.0.0 to 1.2.1: https://nvd.nist.gov/vuln/detail/CVE-2020-17495