DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

False positive CVE-2007-1651 and CVE-2007-1652 Microsoft.IdentityModel.Protocols.OpenIdConnect

Open guidemetothemoon opened this issue 4 years ago • 3 comments

Hello.

In the DependencyCheck I'm getting alerts for CVE-2007-1651 and CVE-2007-1652 vulnerabilities referred to Microsoft.IdentityModel.Protocols.OpenIdConnect package (performing dll scanning, package is coming from Nuget).

Package in OSS Index

From what I was able to find on the Internet this vulnerability is referred to OpenID but not to the Microsoft.IdentityModel.Protocols.OpenIdConnect package itself. According to OSS Index this package version doesn't have these vulnerabilities registered either.

CPEs are also different: cpe:2.3:a:microsoft:identitymodel:6.8.0.11012:::::::* -> false positive? cpe:2.3:a:openid:openid:6.8.0.11012:::::::* cpe:2.3:a:openid:openid_connect:6.8.0.11012:::::::* -> false positive?

CVE-2007-1651: CVE-2007-1651

CVE-2007-1652: CVE-2007-1652

Kind regards, Kris

guidemetothemoon avatar Jan 06 '21 16:01 guidemetothemoon

I have the same issue with [email protected]

ngoclamnn avatar May 11 '21 00:05 ngoclamnn

Related: https://github.com/openid/AppAuth-Android/issues/813

alixwar avatar May 19 '22 08:05 alixwar