CVE-2019-12419

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-2019-12419

David Karlsen
https://nvd.nist.gov/vuln/detail/CVE-2019-12419 marks all the cxf artifacts
(cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*) as vulnerable - hence:
* cxf-xjc-runtime-3.3.1.jar
* cxf-xjc-ts-3.1.0.jar

gets marked as vulnerable - even though these are the latest version and
unrelated to the issue - is there any way to get this fixed in the CVE? Are
you planning on newer versions?
If these were released with the same version as CXF the problem could be
avoided (we always run with the latest patch-level).

Any thoughts?

--
--
David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-12419

Dennis Kieselhorst
> https://nvd.nist.gov/vuln/detail/CVE-2019-12419 marks all the cxf artifacts
> (cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*) as vulnerable - hence:
> * cxf-xjc-runtime-3.3.1.jar
> * cxf-xjc-ts-3.1.0.jar
>
> gets marked as vulnerable - even though these are the latest version and
> unrelated to the issue - is there any way to get this fixed in the CVE? Are
> you planning on newer versions?
> If these were released with the same version as CXF the problem could be
> avoided (we always run with the latest patch-level).
>
> Any thoughts?
>
Hmm in the past I emailed [hidden email] and they fixed the pattern. Do
you have a working proposal already?

Best

Dennis

Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-12419

coheigea
Administrator
Hi Dennis,

I checked a few of the more recent CVEs and they don't have that exclusion
pattern. Do you have a link to a CVE with the XJC exclusion? For now at
least we could mail NIST and ask them to update the pattern for any CVEs
that don't have the exclusion pattern.

Colm.

On Mon, Nov 2, 2020 at 7:56 PM Dennis Kieselhorst <[hidden email]> wrote:

> > https://nvd.nist.gov/vuln/detail/CVE-2019-12419 marks all the cxf
> artifacts
> > (cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*) as vulnerable - hence:
> > * cxf-xjc-runtime-3.3.1.jar
> > * cxf-xjc-ts-3.1.0.jar
> >
> > gets marked as vulnerable - even though these are the latest version and
> > unrelated to the issue - is there any way to get this fixed in the CVE?
> Are
> > you planning on newer versions?
> > If these were released with the same version as CXF the problem could be
> > avoided (we always run with the latest patch-level).
> >
> > Any thoughts?
> >
> Hmm in the past I emailed [hidden email] and they fixed the pattern. Do
> you have a working proposal already?
>
> Best
>
> Dennis
>
>
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-12419

deki
Hi Colm,

in my case the issue was different (incorrect version range). Therefore I have no example that excludes XJC.

Best,
Dennis