- changed status to open
Owasp dependency check reports false positives
Issue #320
invalid
OWASP Dependency check reports that oauth2-oidc-sdk would be vulnerable to these two CVEs:
Filename: oauth2-oidc-sdk-7.1.1.jar | Reference: CVE-2007-1652 | CVSS Score: 7.5 | OpenID allows remote attackers to forcibly log a user into an OpenID enabled site, divulge the user's personal information to this site, and add it site to the trusted sites list via a crafted web page, related to cached tokens.See Rule
Filename: oauth2-oidc-sdk-7.1.1.jar | Reference: CVE-2007-1651 | CVSS Score: 6.8 | Cross-site request forgery (CSRF) vulnerability in OpenID allows remote attackers to restore the login session of a user on an OpenID enabled site via unspecified vectors related to an arbitrary remote web site and cached tokens, after the user has signed into an OpenID server, logged into the OpenID enabled site, and then logged out of the OpenID enabled site.
I assume these are false positives. Can you confirm and maybe report to OWASP Dependeny check?
Comments (4)
-
-
@Yavor Vasilev Any update on this? I’m also curious if these CVEs are false positives
-
- changed status to invalid
Hi Josh,
Those vulns were reported for the old OpenID 1.x protocol in 2007, OpenID Connect and OAuth 2.0 as protocols didn't exist back then
It looks like the tool has some heuristics which identifies the involved protocol and searches for protocol related CVEs.
-
Ok, thanks Vladimir
- Log in to comment
Thanks for this report, we'll check what those CVEs are about.