- changed status to invalid
CWE-470 Flaw from Veracode Scan
Issue #423
invalid
We are getting CWE-470 flaw (https://cwe.mitre.org/data/definitions/470.html) from Veracode scan where we got 'nimbus-jose-jwt-9.9.3.jar' from Azure Java SDK.
https://cwe.mitre.org/data/definitions/470.html
getCommonSuperClass, line 1023 (27 steps) com/nimbusds/jose/shaded/ow2asm/ClassWriter.java
getCommonSuperClass, line 1017 (26 steps) com/nimbusds/jose/shaded/ow2asm/ClassWriter.java
Can you able to look into it ?
Comments (2)
-
-
Noting that the ASM lib that got tagged is at the latest https://search.maven.org/artifact/org.ow2.asm/asm/9.1/jar .
- Log in to comment
Reflection is not used when dealing with JSON.
I'm not sure how this got tagged, since the original CVE is from 2004 for a framework that is not used here.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2331