You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GHSA listed is not a source for DependencyCheck. NVD is, but as you indicate still needs to attribute the versions. OSSINDEX is also a source and in there your exact version of the library is flagged as affected by the CVE.
Note that typically OSSINDEX does not take the CVE report at face value, but has their own team that decides on the applicability and may even decide to not accept a software change as fixing the reported vulnerability.
ODC correctly reports that one of the consulted resources (in this case OSSINDEX) is flagging the evaluated library as affected by the CVE.
Package URl
pkg:maven/dnsjava/[email protected]
CPE
null
CVE
CVE-2024-25638
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.3
Description
GHSA-cfxw-4h78-h7fw
https://nvd.nist.gov/vuln/detail/CVE-2024-25638#VulnChangeHistorySection
This vulnerability is still under analysis on the nvd website. In github, this vulnerability only affects version 3.5.0 of dnsjava. 2.1.7 shall be unaffected.
The text was updated successfully, but these errors were encountered: