forked from ESAPI/esapi-java-legacy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
suppressions.xml
40 lines (38 loc) · 2.13 KB
/
suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?xml version="1.0" encoding="UTF-8"?>
<!-- OWASP Dependency Check suppression file for ESAPI. -->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
<suppress>
<notes><![CDATA[
This suppresses CVE-2019-17571 for the log4j-1.2.17.jar dependency. ESAPI does
not use it in a manner that makes it exploitable and ESAPI is unable to
eliminate the dependency completely because our our deprecation policy. That specific
CVE is the Java deserialization CVE reported in Log4J 1's SocketServer class which ESAPI
doesn't use.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571,
ESAPI GitHub Issue #538 (https://github.com/ESAPI/esapi-java-legacy/issues/538),
and the ESAPI security advisory #2, "documentation/ESAPI-security-bulletin2.pdf", which
provides a detailed analysis of this issue in ESAPI.
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2019-17571</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses CVE-2020-9488 for the log4j-1.2.17.jar dependency. ESAPI does
not use it in a manner that makes it exploitable and ESAPI is unable to
eliminate the dependency completely because our our deprecation policy. That specific
CVE is the Java deserialization CVE reported in Log4J 1's SocketServer class which ESAPI
doesn't use.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2020-9488,
ESAPI GitHub Issue #534 (https://github.com/ESAPI/esapi-java-legacy/issues/534),
and the ESAPI security advisory #4, "documentation/ESAPI-security-bulletin4.pdf", which
provides a detailed analysis of this issue in ESAPI.
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2020-9488</cve>
</suppress>
</suppressions>