You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[
{
"coordinates": "pkg:maven/org.apache.cxf/[email protected]",
"description": "Apache CXF Core",
"reference": "https://ossindex.sonatype.org/component/pkg:maven/org.apache.cxf/[email protected]?utm_source=curl&utm_medium=integration&utm_content=8.6.0",
"vulnerabilities": [
{
"id": "CVE-2024-28752",
"displayName": "CVE-2024-28752",
"title": "[CVE-2024-28752] CWE-918: Server-Side Request Forgery (SSRF)",
"description": "A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.\n\n",
"cvssScore": 9.3,
"cvssVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"cwe": "CWE-918",
"cve": "CVE-2024-28752",
"reference": "https://ossindex.sonatype.org/vulnerability/CVE-2024-28752?component-type=maven&component-name=org.apache.cxf%2Fcxf-core&utm_source=curl&utm_medium=integration&utm_content=8.6.0",
"externalReferences": [
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28752",
"https://github.com/advisories/GHSA-qmgx-j96g-4428"
]
}
]
}
]
Returns a CVSS:4.0 vector, maybe that is related
Scoring that vector confirms the 9.3 scrore, but a critical severity
CVSS v4.0 Score: 9.3 / Critical ⊖
Macro vector: 000200
Exploitability: High
Complexity: High
Vulnerable system: High
Subsequent system: Low
Exploitation: High
Security requirements: High
Describe the bug
CVE-2024-28752 which is CRITICAL according to ossindex is reported as a HIGH by dependency check
Version of dependency-check used
The problem occurs using version 9.2.0 of the cli
To Reproduce
get the problem jar
wget https://repo1.maven.org/maven2/org/apache/cxf/cxf-core/3.4.10/cxf-core-3.4.10.jar
Run cli
dependency-check.sh --format json --nvdApiKey XXXXXXX -s . --log log.txt
Dump json
Expected behavior
Expect severity of CRITICAL but recorded as HIGH
Additional context
log.txt shows this request
Making the same OSSINDEX request
curl -X POST -H "Content-Type: application/vnd.ossindex.component-report-request.v1+json" -d "{"coordinates":["pkg:maven/org.apache.cxf/[email protected]"]}" https://ossindex.sonatype.org/api/v3/component-report | jq
output
Returns a CVSS:4.0 vector, maybe that is related
Scoring that vector confirms the 9.3 scrore, but a critical severity
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Shows
Also Web UI confirms it has critical severity: https://ossindex.sonatype.org/vulnerability/CVE-2024-28752?component-type=maven&component-name=org.apache.cxf%2Fcxf-core&utm_source=dependency-check&utm_medium=integration&utm_content=9.2.0
Similar to the closed issue #5598 but that seems related to CVSS3.1 and this maybe to CVSS4 vectors
The text was updated successfully, but these errors were encountered: