1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
<?xml version="1.0" encoding="UTF-8"?>
<!-- OWASP Dependency Check suppression file for ESAPI. -->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
This suppresses CVE-2019-17571 for the log4j-1.2.17.jar dependency. ESAPI does
not use it in a manner that makes it exploitable and ESAPI is unable to
eliminate the dependency completely because our our deprecation policy. That specific
CVE is the Java deserialization CVE reported in Log4J 1's SocketServer class which ESAPI
doesn't use.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571,
ESAPI GitHub Issue #538 (https://github.com/ESAPI/esapi-java-legacy/issues/538),
and the ESAPI security advisory #2, "documentation/ESAPI-security-bulletin2.pdf", which
provides a detailed analysis of this issue in ESAPI.
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2019-17571</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses CVE-2020-9488 for the log4j-1.2.17.jar dependency. ESAPI does
not use it in a manner that makes it exploitable and ESAPI is unable to
eliminate the dependency completely because our our deprecation policy. That specific
CVE is the Java deserialization CVE reported in Log4J 1's SocketServer class which ESAPI
doesn't use.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2020-9488,
ESAPI GitHub Issue #534 (https://github.com/ESAPI/esapi-java-legacy/issues/534),
and the ESAPI security advisory #4, "documentation/ESAPI-security-bulletin4.pdf", which
provides a detailed analysis of this issue in ESAPI.
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2020-9488</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses CVE-2021-4104 for the log4j-1.2.17.jar dependency. ESAPI's
default configuration uses ConsoleAppender rather than JMSAppender and
thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to
eliminate the dependency completely because our our deprecation policy.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2021-4104 and
the ESAPI security advisory #6, "documentation/ESAPI-security-bulletin6.pdf", which
provides a detailed analysis of this issue in ESAPI.
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2021-4104</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses CVE-2022-23305 for the log4j-1.2.17.jar dependency. ESAPI's
default configuration uses ConsoleAppender rather than JDBCAppender and
thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to
eliminate the dependency completely because our our deprecation policy.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2022-23305 and
the ESAPI security advisory #7, "documentation/ESAPI-security-bulletin7.pdf", which
provides a detailed analysis of this issue in ESAPI.
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2022-23305</cve>
</suppress>
<!--
java-8 Integration - content required for successful owasp dependency-check execution
MISSING Security Bulletin content!
<suppress>
<notes><![CDATA[
This suppresses CVE-2022-23307 for the log4j-1.2.17.jar dependency. ESAPI's
default configuration uses ConsoleAppender rather than Chainsaw and
thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to
eliminate the dependency completely because our our deprecation policy.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2022-23307 and
-> NEEDS BULLETIN REFERENCE
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2022-23307</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses CVE-2022-23302 for the log4j-1.2.17.jar dependency. ESAPI's
default configuration uses ConsoleAppender rather than JMSAppender and
thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to
eliminate the dependency completely because our our deprecation policy.
By virtue of not using a JMSAppender, the exploitable nature of the JMSSink implementation
referenced by this CVE is also mitigated.
For further details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2022-23302
-> NEEDS BULLETIN REFERENCE
]]></notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cpe>cpe:/a:apache:log4j</cpe>
<cve>CVE-2022-23302</cve>
</suppress>
-->
<suppress>
<notes><![CDATA[
ESAPI does not use this jar directly. It is a transitive dependency of AntiSamy and (as per Dave Wichers on
the AntiSamy team), it does not impact AntiSamy, and therefore does not impact ESAPI.
file name: batik-i18n-1.14.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.xmlgraphics/batik\-i18n@.*$</packageUrl>
<cve>CVE-2020-7791</cve>
</suppress>
</suppressions>
|
