-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathowasp.suppressions.xml
52 lines (42 loc) · 2.33 KB
/
owasp.suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2025-02-01Z">
<notes>
<![CDATA[file name: logback-core-1.5.11.jar]]>
This vulnerability is fixed in 1.5.13.
Spring boot versions 3.4.2+ imports 1.5.16. This is expected to be released in late Jan 2025.
The attack involves the modification of DOCTYPE declaration in XML configuration files.
The attack requires existing privilege so the risk is low.
</notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
<vulnerabilityName>CVE-2024-12801</vulnerabilityName>
</suppress>
<suppress until="2025-02-01Z">
<notes>
<![CDATA[file name: logback-core-1.5.11.jar]]>
This vulnerability is fixed in 1.5.13.
Spring boot versions 3.4.2+ imports 1.5.16. This is expected to be released in late Jan 2025.
A successful attack requires the user to have write access to a configuration file.
Alternatively, the attacker could inject a malicious environment variable
pointing to a malicious configuration file.
In both cases, the attack requires existing privilege so the risk is low.
</notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
<vulnerabilityName>CVE-2024-12798</vulnerabilityName>
</suppress>
<suppress until="2025-07-01Z">
<notes>
<![CDATA[file name: commons-io-2.11.0.jar]]>
Fixed in 2.14.0
Package imported by the `jsonschema2pojo` plugin before 1.2.2.
jsonschema2dataclass:6.0.0 imports jsonschema2pojo:1.1.2.
jsonschema2dataclass has not had a release since Jan 2023,
so the suppression date has been set until Q3 2025
The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when
processing maliciously crafted input.
The inputs we provide do not result in this issue.
</notes>
<packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
<vulnerabilityName>CVE-2024-47554</vulnerabilityName>
</suppress>
</suppressions>