Describe the bug
CVE Data from OSSINDEX is not correctly interpreted.
This leads to CVE-2023-20860 ("CRITICAL") to be reported as "HIGH"
Version of dependency-check used
The problem occurs using version 8.2.1 cli
To Reproduce
Steps to reproduce the behavior:
- Create a new empty folder and navigate to it
- Put vulnerable library inside
curl -O https://repo1.maven.org/maven2/org/springframework/spring-webmvc/5.3.22/spring-webmvc-5.3.22.jar
- run DependencyCheck cli
path_to\dependency-check.bat -s . --log log.txt
- Replay call to ossindex to check that it really returns a CVSSv3.1 attack vector and CRITICAL base score:
curl -X POST -H "Content-Type: application/vnd.ossindex.component-report-request.v1+json" -d "{"coordinates":["pkg:maven/org.springframework/[email protected]"]}" https://ossindex.sonatype.org/api/v3/component-report
Results in the following response that contains a CVSSv3.1 vector and score:
[{
"coordinates": "pkg:maven/org.springframework/[email protected]",
"description": "",
"reference": "https://ossindex.sonatype.org/component/pkg:maven/org.springframework/[email protected]?utm_source=curl&utm_medium=integration&utm_content=7.83.1",
"vulnerabilities": [{
"id": "CVE-2023-20860",
"displayName": "CVE-2023-20860",
"title": "[CVE-2023-20860] CWE-284: Improper Access Control",
"description": "spring - Improper Access Control (Access Bypass)\n\nSonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20860 for details",
"cvssScore": 9.1,
"cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe": "CWE-284",
"cve": "CVE-2023-20860",
"reference": "https://ossindex.sonatype.org/vulnerability/CVE-2023-20860?component-type=maven&component-name=org.springframework%2Fspring-webmvc&utm_source=curl&utm_medium=integration&utm_content=7.83.1",
"externalReferences": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-20860", "https://spring.io/security/cve-2023-20860"]
}]}]
- Check dependency-check-report.html
It states the CRITICAL CVE as high severity with CVSSv2 score:
CVSSv2:
Base Score: HIGH (9.1)
Expected behavior
The report should look like this:
CVSSv3.1:
Base Score: CRITICAL (9.1)
Additional context
I created a new issue as the severity mismatch seems more severe than what is described in the similar issue #5019
Describe the bug
CVE Data from OSSINDEX is not correctly interpreted.
This leads to CVE-2023-20860 ("CRITICAL") to be reported as "HIGH"
Version of dependency-check used
The problem occurs using version 8.2.1 cli
To Reproduce
Steps to reproduce the behavior:
Results in the following response that contains a CVSSv3.1 vector and score:
It states the CRITICAL CVE as high severity with CVSSv2 score:
Expected behavior
The report should look like this:
Additional context
I created a new issue as the severity mismatch seems more severe than what is described in the similar issue #5019