Stack Overflow
Stack Overflow

Questions tagged [cve]

74 questions
25
votes
1 answer

How do I get details of a veracode vulnerability report?

How do I get details of a veracode vulnerability report? I'm a maintainer of a popular JS library, Ramda, and we've recently received a report that the library is subject to a prototype pollution vulnerability. This has been tracked back to a…
Scott Sauyet
  • 49,207
  • 4
  • 49
  • 103
4
votes
1 answer

VSCode doesn't recognize python cells - CVE instead

I try to run a notebook with the .ipynb extension, and the Jupyter notebook doesn't allow me to convert the cell to Python. When I click on the language button in the right-down corner, Python is on the list but it converts it automatically to…
Nisan Dalva
  • 43
  • 4
3
votes
1 answer

Why is a vulnerability identified by the OWASP Dependency-Check tool for Mule Runtime 4.4.0 if it doesn't actually belong to that version?

My mule application is built using mule runtime 4.4.0. In pom.xml of application, I have specified the "mule-http-connector@1.7.3" dependency as shown below: org.mule.connectors
Jaci_2019
  • 31
  • 2
3
votes
2 answers

IntelliJ Package Checker not finding vulnerabilities

As said in the title, I cannot find any vulnerabilities in my project using the bundled Package Search plugin to find dependencies vulnerabilities. I use IntelliJ IDEA 2022.1.3 (Ultimate Edition), and I checked it by putting for example the…
Julien Gerber
  • 31
  • 2
3
votes
0 answers

OWASP step fails due to itextpdf-5.5.12 dependency (CVE-2021-43113)

In our project pom.xml we use flying-saucer-pdf-itext5 version 9.1.22, which has a dependency on itextpdf version 5.5.12. Our pipeline fails due to OWASP step complaining about itextpdf related to this security…
MehdiB
  • 870
  • 12
  • 34
2
votes
1 answer

Why is a StackOverflowError worth a CVE?

Recently, vulnerability reports are accumulating against (Java) libraries that complain that the library offers a recursive function that may exhaust the available stack depth and cause a StackOverflowError on "malicious" input. The newest example…
haui
  • 567
  • 5
  • 18
2
votes
0 answers

What is the "vulnerable: field in the cpe_match section of the CVEs in the NVD json feeds

I have looked for a long time top find what the "vulnerable" field of the "cpe_match" section of the "configurations" is. Most of the time that field is true, but there are CVEs where it is false. For example, CVE-2003-0947: "configurations" : { …
Larry
  • 21
  • 2
2
votes
1 answer

what does the line "/mifs/.;/services/LogService" mean

I am trying to understand the CVE-2020-15505 - [RCE on MobileIron MDM] from some references like: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html they all start there exploit by using "POST…
khadeeja salem
  • 29
  • 1
  • 3
1
vote
2 answers

Cannot scan a local (unpushed) image for CVEs with Anchore Grype - workarounds

Apparently it is not possible to perform a security scan for vulnerabilities in a Docker image using Anchore Grype unless that image was previously pushed to a registry. This makes it currently unsuitable for gating your registry from vulnerable…
mirekphd
  • 4,799
  • 3
  • 38
  • 59
1
vote
0 answers

ignore known vulnerability in npm audit

npm audit is part of my Bitbucket pipeline. I use quill which introduces an XSS vulnerability. It was shipped via cdn, but now my app serves this dependency itself. npm audit now fails because of the XSS. I am not sure yet if this vulnerability is…
samjaf
  • 1,033
  • 1
  • 9
  • 19
1
vote
1 answer

fredsmith utils : CVE-2021-4277 fredsmith utils vulnerability

CVE NIST Description: A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to…
Narasimha
  • 49
  • 2
  • 7
1
vote
0 answers

should we scan yarn.lock files inside node_modules for CVEs?

AIM: we are trying to fix CVEs reported in an angular project (scanned using trivy scanner). Problem: None of the packages mentioned as vulnerable(as per trivy report) are direct dependent packages (not present in package.json) and is already used…
striker
  • 11
  • 3
1
vote
0 answers

Why does Yocto Cve Check needs artifactory and took so long to find cves?

I am new to Yocto and would like to know how Yocto Cve check works. Cve Check finds the patched/unpatched on version number & patch added to the recipe. Is this the only 2 methods Cve Check use? Cve Check seems to fetch the package artifactory from…
EzyHoo
  • 301
  • 2
  • 14
1
vote
0 answers

How to pull a report of server name/id and kernel version of all servers in AWS?

I am using SSM to run uname -srm to identify the kernel versions of all the EC2 instances in a bunch of AWS accounts in my project. And I'm storing the results of SSM commands on S3 Next I'm downloading the S3 contents and doing a grep on the…
Biju
  • 820
  • 1
  • 11
  • 34
1
vote
1 answer

How to solve log4j2 CVE (CVE-2021-44228) issues for application under JBoss 7.x

I've some issues in porting some application running in a JBoss 7.1 environment from log4j to log4j2. I've ported my SW to log4j2 (2.17.1), but that is not enough. I'm understanding that JBoss configuration changes - not so simple - are needed to…
SJB
  • 71
  • 8
1
2 3 4 5