-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathowasp.suppressions.xml
33 lines (27 loc) · 1.52 KB
/
owasp.suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2025-02-01Z">
<notes>
<![CDATA[file name: logback-core-1.5.11.jar]]>
This vulnerability is fixed in 1.5.13.
Spring boot versions 3.4.2+ imports 1.5.16. This is expected to be released in late Jan 2025.
The attack involves the modification of DOCTYPE declaration in XML configuration files.
The attack requires existing privilege so the risk is low.
</notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
<vulnerabilityName>CVE-2024-12801</vulnerabilityName>
</suppress>
<suppress until="2025-02-01Z">
<notes>
<![CDATA[file name: logback-core-1.5.11.jar]]>
This vulnerability is fixed in 1.5.13.
Spring boot versions 3.4.2+ imports 1.5.16. This is expected to be released in late Jan 2025.
A successful attack requires the user to have write access to a configuration file.
Alternatively, the attacker could inject a malicious environment variable
pointing to a malicious configuration file.
In both cases, the attack requires existing privilege so the risk is low.
</notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
<vulnerabilityName>CVE-2024-12798</vulnerabilityName>
</suppress>
</suppressions>