CVE-2007-2378

[brianpreuss]

Hi,

the OWASP Dependency Checker tells me a problem with GWT filed under CVE-2007-2378. I think this issue has been fixed, but I can't find any information about that subject. Could you clarify that this not a security problem anymore?

Regards,

Brian

[tbroyer]

AFAICT, this has been fixed by https://github.com/gwtproject/gwt/commit/28162c8e55e7f8e5e82885dded12a142211a96b0 which was released in 1.4.10 on May 30th 2007.

Do you know how we can update the vulnerability database to remove this false positive?

[brianpreuss]

I'm sorry but I don't know much about the CVE database, may be the CVE board does know that? http://cve.mitre.org/community/board/index.html

[jnehlmeier]

According to https://cve.mitre.org/about/faqs.html#b6 you have to mail them. But instead of requesting removal of the CVE its probably better to attach affected versions via NVD as CVE delegates to NVD for such information (each CVE has a NVD link in its header for more information)

When looking at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2378 the vulnerable version section only references GWT in general. Listing versions as in https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4204 would be preferable.

The dependency check of OWASP Dependency Checker uses the NVD data feeds as mentioned in https://www.owasp.org/index.php/OWASP_Dependency_Check at the bottom.

[tbroyer]

Yes, I was thinking about updating NVD, not removing the CVE (which was an issue a long time ago). Do you happen to know the process?

[jnehlmeier]

No, never done it.