Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-7525 is a Vulnerability in jackson-databind, not Apache Struts #54

Open
nuthanmunaiah opened this issue Mar 23, 2021 · 1 comment
Open

CVE-2017-7525 is a Vulnerability in jackson-databind, not Apache Struts #54

nuthanmunaiah opened this issue Mar 23, 2021 · 1 comment

Comments

@nuthanmunaiah
Copy link

Description

According to NVD, CVE-2017-7525 is a vulnerability in jackson-databind, not Apache Struts. The vulnerability was fixed in FasterXML/jackson-databind#1599. Apache Struts was merely modified in apache/struts@0d42ff5, apache/struts@941374e, and apache/struts@a2824b7 to upgrade to Jackson version 2.9.2.

Should CVE-2017-7525 be curated as a vulnerability in the Apache Struts project?
@beefstew
Copy link

During discussion with Andy and Nuthan, we agreed that "supply chain vulnerabilities" are a fundamentally different type than a VCC. Therefore, in this this example, VCC should be null.

Regarding supply chain vulnerability lifecycle:
Date of introduction is the point that a vulnerability is published, or a fix version becomes available, in the upstream project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@beefstew @nuthanmunaiah