Closed huangfeng212 closed 7 months ago
5.13.3 has that CVE fixed.
As you wrote, NIST should update the listing. We did send an update request, but they say "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided."
There's nothing more we can do.
Description
Will there be fix of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4759 for the 5.x version? I see from maven central there is no fix https://mvnrepository.com/artifact/org.eclipse.jgit/org.eclipse.jgit. However our project staying with java8 and can not use the 6.x version
I found this thread https://www.eclipse.org/forums/index.php/m/1862132/?srch=CVE-2023-4759#msg_1862132 and according to that, the new 5.13.3 should have the cve fixed, but from the maven-central, it still shows that version has the cve. I also encountered same error when I build my project, I think the authority at https://nvd.nist.gov/vuln/detail/CVE-2023-4759 need to update that this 5.13.3 version is also a fixed version. https://nvd.nist.gov/vuln/detail/CVE-2023-4759
Motivation
Can't find a CVE free version for 5.x(java8)
Alternatives considered
No response
Additional context
No response