Owasp dependency check reports false positives

Issue #320 invalid
Former user created an issue

OWASP Dependency check reports that oauth2-oidc-sdk would be vulnerable to these two CVEs:

Filename: oauth2-oidc-sdk-7.1.1.jar | Reference: CVE-2007-1652 | CVSS Score: 7.5 | OpenID allows remote attackers to forcibly log a user into an OpenID enabled site, divulge the user's personal information to this site, and add it site to the trusted sites list via a crafted web page, related to cached tokens.See Rule

Filename: oauth2-oidc-sdk-7.1.1.jar | Reference: CVE-2007-1651 | CVSS Score: 6.8 | Cross-site request forgery (CSRF) vulnerability in OpenID allows remote attackers to restore the login session of a user on an OpenID enabled site via unspecified vectors related to an arbitrary remote web site and cached tokens, after the user has signed into an OpenID server, logged into the OpenID enabled site, and then logged out of the OpenID enabled site.

I assume these are false positives. Can you confirm and maybe report to OWASP Dependeny check?

See https://github.com/jeremylong/DependencyCheck

Comments (4)

  1. Vladimir Dzhuvinov

    Hi Josh,

    Those vulns were reported for the old OpenID 1.x protocol in 2007, OpenID Connect and OAuth 2.0 as protocols didn't exist back then

    It looks like the tool has some heuristics which identifies the involved protocol and searches for protocol related CVEs.

  2. Log in to comment