CVE-2023-5763 Vulnerability

[isumaeru46]

Hello,

I have a project that uses "quarkus-scheduler" with version 3.5.1 of quarkus.

However, when I ran owasp:dependency-check, it showed a vulnerability in my project regarding the lib "expressly-5.0.0.jar" used by "quarkus-scheduler".

I did a little research and was unable to identify how this vulnerability could affect my project. Has anyone ever experienced this?

[antoniocanelas]

I'm having the same issue on my project.

:(

[gsmet]

This owasp tool is well known for its false positives so you will need to check things thoroughly on your side unfortunately before being sure there is a vulnerability.

CVE-2023-5763 is about GlassFish not Expressly and Expressly is seen as GlassFish probably because the groupId is org.glassfish.expressly. Unfortunately the owasp rules are not very reliable, especially when new components come up as it's the case for Expressly.