-
assigned issue to
Robert Reiz
False-positive report raised for jetty-http : 9.2.16
Issue #255
resolved
jetty-http : 9.2.16.v20160414
2015-2080
JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server
http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
http://eclipse.org/jetty/documentation/current/security-reports.html
https://github.com/GDSSecurity/Jetleak-Testing-Script
Affected versions: >=9.2.3,9.2 && <=9.2.8,9.2
I'm not exactly sure of the logic controlling the Affected versions, but 9.2.16 is not within the range of 9.2.3 <= affected versions <= 9.2.8 !
It would seem that this presents a false-positive for any 9.2.x version? I'm sure this must be a recurrence you've seen before? (Issue 143?)
(Of course, this might relate to the nature of the repository of CVEs, and not the tooling directly.)
Comments (3)
-
-
Currently double checking this.
-
- changed status to resolved
Many Thanks for pointing this out. It's fixed now. VersionEye is open source and the code which is fetching and assigning security vulnerabilities to components as well. Here is the commit which fixed the assignment: https://github.com/versioneye/versioneye-security/commit/f665a907ad0283aa484c437005c22e6e4b924332. It might be that you have to re parse your project at VersionEye to get the changes.
- Log in to comment
