DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: netty-codec-socks:4.1.60

Open abhimankhutia opened this issue 3 years ago • 1 comments

Package URl

pkg:maven/io.netty:netty-codec-socks:4.1.60

CPE

cpe:2.3:a:netty:netty::::::::

CVE

CVE-2021-21409

ODC Integration

No response

ODC Version

6.5.3

Description

CVE-2021-21409 is reported for netty-codec-socks:4.1.60 where as it should only be reported for io.netty:netty-codec-http2.

abhimankhutia avatar Mar 29 '22 13:03 abhimankhutia

We don't have an intention to micromanage the vulnerabilities of a large framework that is always released as a whole with one version resulting in a single CPE vendor/product classification at the NIST NVD. When you want to stay on unpatched versions of the framework for components unaffected by a vulnerability in another part you have to revert to your own suppression files.

Note that in 2021 the OWASP Top 10 changed 'using components with known vulnerabilities (A09 in 2017)' to 'vulnerable or outdated components (A06)' to reflect the need to remain up-to-date with your components on a regular basis so that you can respond quickly when a critical security fix is only released for the latest version of a component. So the better response from security perspective would be an upgrade of the framework version, even if the components you currently depend on are not the ones in which the current new vulnerability exists.

aikebah avatar Jun 08 '22 11:06 aikebah