Closed githubuserVenkat closed 1 week ago
Maven Coordinates
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-osgi-adapter</artifactId>
<version>18.0.2</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6909
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-osgi-adapter@.*$</packageUrl>
<cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10472205438
OSGI adapter library is an EOL-ed abandoned part of the Keycloak project and as such is properly mapped to the CPE of keycloak at NVD.
This project does not manage attribution of CVEs to specific sublibraries of a project.
The library was removed from the Keycloak codebase by the removal of the Fuse 6&7 adapters at https://github.com/keycloak/keycloak/pull/11740
Package URl
pkg:maven/org.keycloak/keycloak-osgi-adapter@18.0.2
CPE
cpe:2.3:a:keycloak:keycloak:18.0.2:::::::, cpe:2.3:a:redhat:keycloak:18.0.2:::::::
CVE
CVE-2023-6563
ODC Integration
None
ODC Version
10.0.3
Description
actual vulnerable component is keycloak version before 21.0.0, however OWASP is considering keycloak-osgi-adapter-18.0.2.jar as keycloak jar and version matches to vulnerable version 21.0
Note currently used keycloak version is 22.0.5