|
40 | 40 | <suppress> |
41 | 41 | <notes><![CDATA[ |
42 | 42 | This suppresses CVE-2021-4104 for the log4j-1.2.17.jar dependency. ESAPI's |
43 | | - default configuration uses ConsoleAppender rathere than JMSAppender and |
| 43 | + default configuration uses ConsoleAppender rather than JMSAppender and |
44 | 44 | thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to |
45 | 45 | eliminate the dependency completely because our our deprecation policy. |
46 | 46 |
|
|
53 | 53 | <cpe>cpe:/a:apache:log4j</cpe> |
54 | 54 | <cve>CVE-2021-4104</cve> |
55 | 55 | </suppress> |
| 56 | + <suppress> |
| 57 | + <notes><![CDATA[ |
| 58 | + This suppresses CVE-2022-23305 for the log4j-1.2.17.jar dependency. ESAPI's |
| 59 | + default configuration uses ConsoleAppender rather than JDBCAppender and |
| 60 | + thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to |
| 61 | + eliminate the dependency completely because our our deprecation policy. |
| 62 | +
|
| 63 | + For further details, please see: |
| 64 | + https://nvd.nist.gov/vuln/detail/CVE-2022-23305 and |
| 65 | + the ESAPI security advisory #7, "documentation/ESAPI-security-bulletin7.pdf", which |
| 66 | + provides a detailed analysis of this issue in ESAPI. |
| 67 | + ]]></notes> |
| 68 | + <gav regex="true">^log4j:log4j:1\.2\.17$</gav> |
| 69 | + <cpe>cpe:/a:apache:log4j</cpe> |
| 70 | + <cve>CVE-2022-23305</cve> |
| 71 | + </suppress> |
| 72 | +<!-- |
| 73 | +java-8 Integration - content required for successful owasp dependency-check execution |
| 74 | +MISSING Security Bulletin content! |
| 75 | +
|
| 76 | + <suppress> |
| 77 | + <notes><![CDATA[ |
| 78 | + This suppresses CVE-2022-23307 for the log4j-1.2.17.jar dependency. ESAPI's |
| 79 | + default configuration uses ConsoleAppender rather than Chainsaw and |
| 80 | + thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to |
| 81 | + eliminate the dependency completely because our our deprecation policy. |
| 82 | +
|
| 83 | + For further details, please see: |
| 84 | + https://nvd.nist.gov/vuln/detail/CVE-2022-23307 and |
| 85 | +
|
| 86 | +-> NEEDS BULLETIN REFERENCE |
| 87 | +
|
| 88 | + ]]></notes> |
| 89 | + <gav regex="true">^log4j:log4j:1\.2\.17$</gav> |
| 90 | + <cpe>cpe:/a:apache:log4j</cpe> |
| 91 | + <cve>CVE-2022-23307</cve> |
| 92 | + </suppress> |
| 93 | + <suppress> |
| 94 | + <notes><![CDATA[ |
| 95 | + This suppresses CVE-2022-23302 for the log4j-1.2.17.jar dependency. ESAPI's |
| 96 | + default configuration uses ConsoleAppender rather than JMSAppender and |
| 97 | + thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to |
| 98 | + eliminate the dependency completely because our our deprecation policy. |
| 99 | + By virtue of not using a JMSAppender, the exploitable nature of the JMSSink implementation |
| 100 | + referenced by this CVE is also mitigated. |
| 101 | +
|
| 102 | + For further details, please see: |
| 103 | + https://nvd.nist.gov/vuln/detail/CVE-2022-23302 |
| 104 | +-> NEEDS BULLETIN REFERENCE |
| 105 | +
|
| 106 | + ]]></notes> |
| 107 | + <gav regex="true">^log4j:log4j:1\.2\.17$</gav> |
| 108 | + <cpe>cpe:/a:apache:log4j</cpe> |
| 109 | + <cve>CVE-2022-23302</cve> |
| 110 | + </suppress> |
| 111 | +--> |
| 112 | + <suppress> |
| 113 | + <notes><![CDATA[ |
| 114 | + FIXME: Once we switch to Java 8 as the minimal JDK, update commons-io to the latest and delete this. |
| 115 | +
|
| 116 | + This CVE is path traversal issue in FileNameUtils.normalize(). That class is not used directly or indirectly |
| 117 | + by ESAPI. We are required to use an older version of Commons-IO because of a direct dependency on Antisamy. |
| 118 | +
|
| 119 | + file name: commons-io-2.6.jar |
| 120 | + ]]></notes> |
| 121 | + <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl> |
| 122 | + <cve>CVE-2021-29425</cve> |
| 123 | + </suppress> |
56 | 124 | <suppress> |
57 | 125 | <notes><
0 commit comments