DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: CVE-2022-24198 in kernel-7.2.2.jar

Open Vsevolod-Bro opened this issue 3 years ago • 4 comments

Package URl

pkg:maven/com.itextpdf/[email protected]

CPE

cpe:2.3:a:itextpdf:itext:7.1.17:::::::*

CVE

CVE-2022-24198

ODC Integration

No response

ODC Version

7.1.1

Description

False positive on component ARCFOUREncryption.encryptARCFOUR but the fact that it throws ArrayIndexOutOfBoundsException is not by itself a vulnerability, and no case supporting that this behavior may be exploited to cause DoS has been presented https://github.com/itext/itext7/pull/78

Vsevolod-Bro avatar Jun 20 '22 02:06 Vsevolod-Bro

Maven Coordinates

<dependency>
   <groupId>com.itextpdf</groupId>
   <artifactId>kernel</artifactId>
   <version>7.1.17</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4613
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.itextpdf/kernel@.*$</packageUrl>
   <cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2526242832

github-actions[bot] avatar Jun 20 '22 02:06 github-actions[bot]

Maven Coordinates

<dependency>
   <groupId>com.itextpdf</groupId>
   <artifactId>kernel</artifactId>
   <version>7.1.17</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4613
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.itextpdf/kernel@.*$</packageUrl>
   <cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2526259456

github-actions[bot] avatar Jun 20 '22 02:06 github-actions[bot]

Maven Coordinates

<dependency>
   <groupId>com.itextpdf</groupId>
   <artifactId>kernel</artifactId>
   <version>7.1.17</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4613
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.itextpdf/kernel@.*$</packageUrl>
   <cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2526275762

github-actions[bot] avatar Jun 20 '22 03:06 github-actions[bot]

also for 7.2.3

mprins avatar Jul 18 '22 08:07 mprins

also occurs for 7.2.4

mprins avatar Oct 27 '22 07:10 mprins

Would have to be raised with Sonatype OSSINDEX for re-evaluation, as the raised issue was not fixed, but the CVE disputed as an ArrayIndexOutOfBoundsException does not constitute a security issue as such.

aikebah avatar Dec 07 '22 18:12 aikebah

Also applies to 7.2.5

achifal avatar Feb 02 '23 11:02 achifal

This still applies for version 8.0.0 and 8.0.1 as well.

hstorruste avatar Sep 01 '23 12:09 hstorruste

Hello guys, is CVE 2022-24198 a false positive? This is the first time it appears in a DependencyCheck.

Dhanxy avatar Sep 25 '23 20:09 Dhanxy

The CVE is disputed, but according to Sonatype OSSIndex it is a valid vulnerability. As to the exact why you would have to communicate with Sonatype. ODC merely reports that in the OSSIndex the CVE was kept as a vulnerability when disputed.

aikebah avatar Sep 25 '23 21:09 aikebah