Closed msymons closed 2 years ago
I emailed webtide security and received a response in less than 10 minutes...
The database version at
https://github.com/advisories/GHSA-8mpp-f3f7-xc28
has the original ranges.This invalid range was pointed out in our issue tracker at https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178712744
And a ticket to update the range has been submitted at https://github.com/github/advisory-database/pull/489
The official advisory at
https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
was updated. We expect the database version to be updated once github reviews the changes.
ie, this confirms that versions lower than 10.0.0 are not affected by this vulnerability
The github advisory database version has had it's version range updated a few minutes ago ...
For the record, I'm the one that responded to @msymons from "webtide security" portion of his comment with that exact text that he copy/pasted into this issue. I'm also an Eclipse Jetty committer - https://github.com/eclipse/jetty.project/graphs/contributors
Looks like our researchers got at this one already. Looking at the chart here seems to indicate the issue has been resolved: https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-io
@ken-duck, now what we need is for MITRE to support SWID or PURL so that these kinds of problems can be more easily avoided.
I so hate CPE.
@ken-duck, the issue has been resolved for jetty-io
but not replaced by jetty-server
. Thus the vuln is now not alerting against anything that I can see.
Vulnerability URL
Component URL One example of many...
Description The OSSI text for vulnerability CVE-2022-2191 states "In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions..." and yet OSSI is incorrectly matching against versions before 10.0.0
If the matching against (say) v9.4.43.v20210629 is deemed to be correct based on internal Sonatype research then the OSSI description text needs to be updated to make this explicitly clear.
I have dug into the GHSA advisories and things are confusing there. The one published in Jetty repo differs that the "official" GHSA... although both have the same id.
"Offical":
https://github.com/advisories/GHSA-8mpp-f3f7-xc28
(< 10.0.10, >= 11.0.0, < 11.0.10) "Jetty":https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
(10.0.0 to 10.0.9, 11.0.0 to 11.0.9)Also, note that both report that the vulnerability affects
jetty-server
and notjetty-io
.