Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

false positive CVE-2016-10542 in java project if dependency jar name contains word '-ws' #1535

Closed
vashistha opened this issue Oct 23, 2018 · 1 comment

Comments

@vashistha
Copy link

dependency check mvn clean org.owasp:dependency-check-maven:3.3.2:check returns medium severity vulnerability if dependency jar contains word -ws. moreover description suggests, it is relevant to node js platform.

CPE

cpe:/a:ws_project:ws:1.1.0::~~~node.js~~ and all previous versions

Description

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
MISC - https://github.com/nodejs/node/issues/7388
MISC - https://nodesecurity.io/advisories/120
Vulnerable Software & Versions:

cpe:/a:ws_project:ws:1.1.0::~~~node.js~~ and all previous versions

Reproducing the false positive vulnerability

@vashistha vashistha changed the title false positive CVE-2016-10542 in java project name containing word -ws false positive CVE-2016-10542 in java project if dependency jar name contains word -ws Oct 23, 2018
@vashistha vashistha changed the title false positive CVE-2016-10542 in java project if dependency jar name contains word -ws false positive CVE-2016-10542 in java project if dependency jar name contains word '-ws' Oct 23, 2018
jeremylong added a commit that referenced this issue Oct 24, 2018
@lock
Copy link

lock bot commented Nov 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Nov 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants