[FP]: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. #6342
Comments
|
Error parsing package url: cpe:2.3:a:eclipse:jetty:::::::: versions from (including) 7.2.2; versions up to (excluding) 9.4.39. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7329140724 |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7329163104 |
|
Your FP is not reproducible on 8.x with an up-to-date database. All CVEs reported for 9.4.50 are valid CVEs applicable to version of jetty beyond 9.4.51. BTW the version of DependencyCheck you use is outdated and does not receive the latest vulnerability information from NVD anymore. As the NVD datastreams have been fully replaced by the NVD API as of 15/12 you should update to version 9.x to have information on newly appearing vulnerabilities. |
Package URl
pkg:maven/org.eclipse.jetty/jetty-util@.*
CPE
cpe:2.3:a:eclipse:jetty::::::::
CVE
CVE-2021-28165
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
8.4.1
Description
OWASP Dependency Checker (8.4.1) reports Jetty version (9.4.50.v20221201) used in the environment as HIGH, which is inapplicable for the CVE as the vulnerability is only up to 9.4.38.
Please comment.
The text was updated successfully, but these errors were encountered: