ken-duck
commented
1 year ago This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
Closed aikebah closed 1 year ago
ken-duck
commented
1 year ago This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
aikebah
commented
1 year ago @ken-duck Any update on this one?
ken-duck
commented
1 year ago Sorry for the delay. We are finally going through all our old issues. There was some internal churn where issues (or at least communication thereof) was getting lost. We are changing our processes in order to respond much faster.
Among the changes, we moved from our old OSS Index vulnerability database to use a more accurate and more actively maintained data source. You should have seen this problem disappear at some point. There was also a fix in the original research data (along with an explanation from the research team) which gives more insight into the vulnerability itself.
From the research team:
We verified the information available regarding this vulnerability and found a fix in versions 2.2.19.Final and 2.3.0.Alpha2:
Despite the fact that the fix does not modify the vulnerable code that we had implicated in our research, it now throws an exception on the call of the vulnerable method, thus handling the scenario where the request exceeds the max-post-size limit.
Hence, it can be considered as a valid solution for the vulnerability.
You can see the aforementioned vulnerability does not appear for this component: https://ossindex.sonatype.org/component/pkg:maven/io.undertow/undertow-core@2.2.19.Final
Vulnerability URL Provide the URL to the vulnerability. For example:
Component URL Provide the URL to the component. For example:
Description According to the CVE description this was fixed in both 2.2.19.Final and 2.3.0.Alpha2, yet OSSIndex still reports both as affected by it