search

fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.
https://www.fasten-project.eu/
Apache License 2.0
6 stars 3 forks source link

CVE-2021-33813 purl mapping is incomplete. #100

Open cg122 opened 2 years ago

cg122 commented 2 years ago

CVE-2021-33813 mapped following purls:

     "pkg:maven/org.jdom/jdom@1.1.2",
      "pkg:maven/org.jdom/jdom@1.1.3",
      "pkg:maven/org.jdom/jdom@2.0.0",
      "pkg:maven/org.jdom/jdom@2.0.1",
      "pkg:maven/org.jdom/jdom@2.0.2"

The CVE description suggests 2.0.6 is also affected.

"An XXE issue in SAXBuilder in JDOM through 2.0.6 ..."

This may be caused by the naming issue of jdom as described in "Which Maven artefact should I use?".

"All JDOM versions are available in the 'jdom' or 'jdom2' artifact in the org.jdom group on Maven. The maven artifacts are a mess with early JDOM 2.x versions appearing in the 'jdom' artifacts, and later 2.x versions in the 'jdom2' artifact. Maven does not allow the fixing of mistakes, so maven users wil just have to live with it as it is."

MagielBruntink commented 2 years ago

Yep, there is no 2.0.6 version of org.jdom:jdom. However there is 2.0.6 for org.jdom:jdom2, which we do not link to this CVE. Also GHSA lists org.jdom:jdom as the Maven artifact only.