Dependencycheck: False Positive on Tomcat 9.0.38 and upper reporting CVE-2020-13943

Created on 27 Oct 2020  路  6Comments  路  Source: jeremylong/DependencyCheck

False positive on Tomcat 9.0.38+

According to Tomcat, the problem related to CVE-2020-13943 has been solved in version 9.0.38.
See : https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38

CPE

cpe:2.3:a:apache:tomcat:9.0.38:*:*:*:*:*:*:*

CVE

CVE-2020-13943

Maven

<dependency>
   <groupId>org.apache.tomcat.embed</groupId>
   <artifactId>tomcat-embed-core</artifactId>
   <version>9.0.38</version>
</dependency>
FP Report
Source
picture ghusta
👍5

Most helpful comment

NIST finally answered:

Good Afternoon,

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information, we have made the appropriate modifications and removed the versions of Apache Tomcat that were not vulnerable IAW the vendor advisory. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds.

V/r,
Common Platform Enumeration Team
[email protected]

picture albuch on 4 Nov 2020
🎉2

All 6 comments

This is an issue within the NVD data, that somehow references v9.0.38 and v9.0.39 as vulnerable since 26th October even though it contains the fix. I've already contacted Apache Security Team to fix the versions but they claim that they don't have influence over the entry and one should contact NVD directly to get it fixed. Even though they are the CNA that requested/assigned the CVE entry in the first place according to Mitre.
I'm not sure to whom to report this misconfiguration.

albuch picture albuch on 27 Oct 2020

Thanks for the information

ghusta picture ghusta on 28 Oct 2020

@albuch I once contacted [email protected] via email regarding a similar issue. They solved that issue quite fast.
I also asked them if this is the right contact to choose for these issues. Their answer was:

This alias is the correct place to report issues regarding missing CPE URIs or for external submissions for folks who wish to directly contribute to the Official CPE Dictionary. Additionally, if you believe a CVE has been given an incorrect applicability statement so long as you can provide publicly available information that corroborates the claim we will review and make amendments as time and resources allow.

Do you want to write them an email? Or should I do that?
As far as I understand the wrong entries you mentioned are listed here: https://nvd.nist.gov/vuln/detail/CVE-2020-13943/cpes

rd-matthias-jambor picture rd-matthias-jambor on 29 Oct 2020
👍1

@rd-matthias-jambor I've already contacted nist on that e-mail two days ago, though no response yet.

albuch picture albuch on 29 Oct 2020
👍1

NIST finally answered:

Good Afternoon,

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information, we have made the appropriate modifications and removed the versions of Apache Tomcat that were not vulnerable IAW the vendor advisory. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds.

V/r,
Common Platform Enumeration Team
[email protected]

albuch picture albuch on 4 Nov 2020
🎉2

OK, good news !

ghusta picture ghusta on 4 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

baderbuddy picture baderbuddy  路  58Comments
DanielRuf picture DanielRuf  路  16Comments
mark-senne picture mark-senne  路  37Comments
razeitona picture razeitona  路  15Comments
LeaderXFX picture LeaderXFX  路  28Comments