Package URl
pkg:maven/org.apache.cxf.karaf/apache-cxf@3.6.9
CPE
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:* versions up to (excluding) 4.2.0
CVE
CVE-2018-11786
ODC Integration
None
ODC Version
12.2.0
Description
This CVE impacts only on "apache:karaf" packages as per cpe provided by NVD. But tool is reporting it on "org.apache.cxf.karaf/cxf-karaf-commands" jars as well, version range itself not available in this package, this is all together different package, which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?
Package URl
pkg:maven/org.apache.cxf.karaf/apache-cxf@3.6.9
CPE
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:* versions up to (excluding) 4.2.0CVE
CVE-2018-11786
ODC Integration
None
ODC Version
12.2.0
Description
This CVE impacts only on "apache:karaf" packages as per cpe provided by NVD. But tool is reporting it on "org.apache.cxf.karaf/cxf-karaf-commands" jars as well, version range itself not available in this package, this is all together different package, which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?