Closed estebanhiguitad closed 1 year ago
ken-duck
commented
1 year ago Sorry for the delay. We are still working on developing processes to handle issues, and I have been away for a while (catching up now)!
This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
ken-duck
commented
1 year ago Sorry for the VERY long delay at responding. There have been MANY changes. For one, we moved from our old OSS Index database to one with many more researchers and a significantly increased number of vulnerabilities.
Due to the improved research, the above vulnerability IS in the database, but actually implicates org.jetbrains.kotlin : kotlin-gradle-plugin which our researchers have determined is the actual source of the vulnerability.
Future issues should be reported to ossindex@sonatype.org which is more actively monitored and should result in a much more reasonable response time. Sorry for the inconvenience.
Advisory details
More information
This is a vulnerability reported by org.owasp:dependency-check-gradle:7.1.0 in Android
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. CWE-667 Improper Locking
CVSSv2: Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3: Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References: MISC - https://blog.jetbrains.com/ MISC - https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/ MISC - https://www.oracle.com/security-alerts/cpuapr2022.html N/A - N/A Vulnerable Software & Versions: (show less)
cpe:2.3:a:jetbrains:kotlin:::::::: versions up to (excluding) 1.6.0 cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4:::::::* cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5:::::::*