[BUILD-1039] Dismiss CVE mismatch about info.magnolia.ocm:jackrabbit-ocm:2.0.1-magnolia Created: 03/Apr/23 Updated: 14/Apr/23 Resolved: 03/Apr/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoR: |
Empty
|
||||||||
| Team: | |||||||||
| Work Started: | |||||||||
| Approved: |
Yes
|
||||||||
| Description |
magnolia-community-webapp-6.2-SNAPSHOT.war: jackrabbit-ocm-2.0.1-magnolia.jar (pkg:maven/info.magnolia.ocm/jackrabbit-ocm@2.0.1-magnolia, cpe:2.3:a:apache:jackrabbit:2.0.1:*:*:*:*:*:*:*) : CVE-2015-1833 https://nvd.nist.gov/vuln/detail/CVE-2015-1833 The CVE is about an older JackRabbit core version up to (including) 2.0.5 (Magnolia currently uses JR version 2.20.9) and mistakenly matches our recently released fork of JR OCM library (Magnolia's fork actually resolves another CVE). |