Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2021-33813 purl mapping is incomplete. #100

Open
cg122 opened this issue Nov 25, 2021 · 1 comment
Open

CVE-2021-33813 purl mapping is incomplete. #100

cg122 opened this issue Nov 25, 2021 · 1 comment

Comments

@cg122
Copy link

cg122 commented Nov 25, 2021

CVE-2021-33813 mapped following purls:

     "pkg:maven/org.jdom/jdom@1.1.2",
      "pkg:maven/org.jdom/jdom@1.1.3",
      "pkg:maven/org.jdom/jdom@2.0.0",
      "pkg:maven/org.jdom/jdom@2.0.1",
      "pkg:maven/org.jdom/jdom@2.0.2"

The CVE description suggests 2.0.6 is also affected.

"An XXE issue in SAXBuilder in JDOM through 2.0.6 ..."

This may be caused by the naming issue of jdom as described in "Which Maven artefact should I use?".

"All JDOM versions are available in the 'jdom' or 'jdom2' artifact in the org.jdom group on Maven. The maven artifacts are a mess with early JDOM 2.x versions appearing in the 'jdom' artifacts, and later 2.x versions in the 'jdom2' artifact. Maven does not allow the fixing of mistakes, so maven users wil just have to live with it as it is."
@MagielBruntink
Copy link
Member

Yep, there is no 2.0.6 version of org.jdom:jdom. However there is 2.0.6 for org.jdom:jdom2, which we do not link to this CVE. Also GHSA lists org.jdom:jdom as the Maven artifact only.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cg122 @MagielBruntink