[FP]: plexus-cipher for CVE-2022-4244 #6905
Comments
|
Maven Coordinates <dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-cipher</artifactId>
<version>2.0</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6905
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-cipher@.*$</packageUrl>
<cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10448114479 |
|
Have raised this one with the NVD as a data anomaly in the NVD data. There is a better CPE available in the CPE dictionary to link to the plexus-utils project explicitly (and the currently linked CPE is not registered in the CPE dictionary). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/org.codehaus.plexus/plexus-cipher@2.0
CPE
cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:2.0:::::::*
CVE
CVE-2022-4244
ODC Integration
None
ODC Version
10.0.3
Description
As per snyk reference the vulnerable component is plexus-utils, however in OWASP scan result subject CVE is reported on plexus-cipher & plexus-interpolation.
The vulnerable is applicable for version before 3.0.24, however latest available version from maven of plexus-cipher is 2.1.0 and plexus-interpolation is 1.27
https://security.snyk.io/vuln/SNYK-CENTOS7-PLEXUSUTILS-3183869
The text was updated successfully, but these errors were encountered: