Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: express:4.21.2 | CVE-2024-10491 #7266

Open
psandeep09 opened this issue Dec 20, 2024 · 4 comments
Open

[FP]: express:4.21.2 | CVE-2024-10491 #7266

psandeep09 opened this issue Dec 20, 2024 · 4 comments
Labels
FP Report npm ossindex Label for issues that relate to the OSSIndex API won't fix

Comments

@psandeep09
Copy link

psandeep09 commented Dec 20, 2024

Package URl

pkg:npm/[email protected]

CPE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE

CVE-2024-10491

ODC Integration

{"label"=>"CLI"}

ODC Version

11.1.1

Description

The vulnerability applies to versions up to and including 3.21.2.

https://ogma.in/cve-2024-10491-mitigating-vulnerability-in-express-response-links

Copy link
Contributor

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12426648292

Copy link
Contributor

Npm Coordinates

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7266
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/express@.*$</packageUrl>
   <cpe>cpe:/a:N/AC:L/PR</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12446634008

@github-actions github-actions bot added the npm label Dec 21, 2024
@aikebah aikebah added ossindex Label for issues that relate to the OSSIndex API won't fix labels Dec 21, 2024
Copy link
Contributor

Npm Coordinates

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7266
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/express@.*$</packageUrl>
   <cpe>cpe:/a:N/AC:L/PR</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12446653426

@aikebah
Copy link
Collaborator

aikebah commented Dec 21, 2024

The (OSSINDEX) behind the CVE indicates that this vuln was sourced from the Sonatype OSSINDEX. You'd have to raise it with them as they list it as affected for this exact version

as you can see on

https://ossindex.sonatype.org/component/pkg:npm/[email protected]

upon sign-in

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FP Report npm ossindex Label for issues that relate to the OSSIndex API won't fix
Projects
None yet
Development

No branches or pull requests

2 participants