[FP]: CVE-2023-4586 and sonatype-2020-0026 reported in io.netty:netty-handler:4.1.109.Final #6677
Comments
|
Maven Coordinates <dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>4.1.109.Final</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6677
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty-handler@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9158865238 |
|
Maven Coordinates <dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>4.1.109.Final</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6677
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty-handler@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9158999976 |
|
We can confirm nor deny, DependencyCheck simply reports on the information retrieved from OSSIndex and NVD data. Our automated scan however did not surface the issues, so it appears the attribution to unrelated versions has been fixed in the meanwhile in the OSSINDEX API. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/io.netty/[email protected]
CPE
cpe:2.3:a:netty:netty:4.1.109:::::::*
CVE
CVE-2023-4586 and sonatype-2020-0026
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
8.4.0
Description
CVE-2023-4586 and sonatype-2020-0026 are reported in io.netty:netty-handler:4.1.109.Final.
Official reports such as GHSA-57m8-f3v5-hm5m flags up to 4.1.99.Final but it is still reporting in 4.1.109 also.
Can one of the maintainers confirm whether 4.1.109.Final is vulnerable or not?
The text was updated successfully, but these errors were encountered: