Dependencycheck: false positive on javamail 1.6.0
(using version 2.1.1)
Reporting False Positives
When reporting a false positive please include:
- The location of the dependency (Maven GAV, URL to download the dependency, etc.)
<dependency>
<groupId>com.sun.mail</groupId>
<artifactId>javax.mail</artifactId>
<version>1.6.0</version>
</dependency>
- The CPE that is believed to be false positive
- Please report the CPE not the CVE
javax.mail-1.6.0.jar (com.sun.mail:javax.mail:1.6.0, cpe:/a:mail_project:mail:1.6.0) : CVE-2015-9097
in the report:
cpe: cpe:/a:mail_project:mail:1.6.0 Confidence:LOW
FP Report
THausherr
👍1
All 3 comments
Ditto on all counts; it also reports javax.mail:javax.mail-api:1.6.0 on my system.
I see nothing in the CVE-2015-9097 entry in the current NIST CVE-2015 XML (see below) that mentions javax.mail.
Interestingly, the linked smtpi.pdf mentions JavaMail, but says the bug there was fixed in 1.5.5-SNAPSHOT.
<?xml version='1.0' encoding='UTF-8'?>
<nvd xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" nvd_xml_version="2.0" pub_date="2017-09-28T03:06:20" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 https://scap.nist.gov/schema/nvd/patch_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 https://scap.nist.gov/schema/nvd/nvd-cve-feed_2.0.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">
<!-- ... -->
<entry id="CVE-2015-9097">
<vuln:vulnerable-configuration id="http://nvd.nist.gov/">
<cpe-lang:logical-test operator="OR" negate="false">
<cpe-lang:fact-ref name="cpe:/a:mail_project:mail:2.5.4::~~~ruby~~"/>
</cpe-lang:logical-test>
</vuln:vulnerable-configuration>
<vuln:vulnerable-software-list>
<vuln:product>cpe:/a:mail_project:mail:2.5.4::~~~ruby~~</vuln:product>
</vuln:vulnerable-software-list>
<vuln:cve-id>CVE-2015-9097</vuln:cve-id>
<vuln:published-datetime>2017-06-12T16:29:00.237-04:00</vuln:published-datetime>
<vuln:last-modified-datetime>2017-07-05T12:43:21.987-04:00</vuln:last-modified-datetime>
<vuln:cvss>
<cvss:base_metrics>
<cvss:score>4.3</cvss:score>
<cvss:access-vector>NETWORK</cvss:access-vector>
<cvss:access-complexity>MEDIUM</cvss:access-complexity>
<cvss:authentication>NONE</cvss:authentication>
<cvss:confidentiality-impact>NONE</cvss:confidentiality-impact>
<cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
<cvss:availability-impact>NONE</cvss:availability-impact>
<cvss:source>http://nvd.nist.gov</cvss:source>
<cvss:generated-on-datetime>2017-07-03T10:41:59.567-04:00</cvss:generated-on-datetime>
</cvss:base_metrics>
</vuln:cvss>
<vuln:cwe id="CWE-93"/>
<vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
<vuln:source>MISC</vuln:source>
<vuln:reference href="http://openwall.com/lists/oss-security/2015/12/11/3" xml:lang="en">http://openwall.com/lists/oss-security/2015/12/11/3</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
<vuln:source>MISC</vuln:source>
<vuln:reference href="http://www.mbsd.jp/Whitepaper/smtpi.pdf" xml:lang="en">http://www.mbsd.jp/Whitepaper/smtpi.pdf</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
<vuln:source>MISC</vuln:source>
<vuln:reference href="https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83" xml:lang="en">https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
<vuln:source>MISC</vuln:source>
<vuln:reference href="https://github.com/mikel/mail/pull/1097" xml:lang="en">https://github.com/mikel/mail/pull/1097</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
<vuln:source>MISC</vuln:source>
<vuln:reference href="https://github.com/rubysec/ruby-advisory-db/issues/215" xml:lang="en">https://github.com/rubysec/ruby-advisory-db/issues/215</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
<vuln:source>MISC</vuln:source>
<vuln:reference href="https://hackerone.com/reports/137631" xml:lang="en">https://hackerone.com/reports/137631</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
<vuln:source>MISC</vuln:source>
<vuln:reference href="https://rubysec.com/advisories/mail-OSVDB-131677" xml:lang="en">https://rubysec.com/advisories/mail-OSVDB-131677</vuln:reference>
</vuln:references>
<vuln:summary>The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.</vuln:summary>
</entry>
<!-- ... -->
</nvd>
larrywest42
on 29 Sep 2017
This is a fairly easy fix that will be included in the 3.0.0 release - thanks for reporting the FP!
jeremylong
on 30 Sep 2017
👍3
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 27 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings
Related issues
tediroca
路
3Comments
agisbert
路
4Comments
gwsu2008
路
3Comments
dwvisser
路
4Comments
tediroca
路
4Comments
Most helpful comment
This is a fairly easy fix that will be included in the 3.0.0 release - thanks for reporting the FP!