Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive on micrometer-registry-prometheus #1927

Closed
ST-DDT opened this issue May 16, 2019 · 1 comment
Closed

False Positive on micrometer-registry-prometheus #1927

ST-DDT opened this issue May 16, 2019 · 1 comment
Labels
FP Report
Milestone
5.0.0

Comments

@ST-DDT
Copy link

ST-DDT commented May 16, 2019

micrometer-registry-prometheus-1.1.4.jar (pkg:maven/io.micrometer/micrometer-registry-prometheus@1.1.4, cpe:2.3:a:prometheus:prometheus:1.1.4:*:*:*:*:*:*:*) : CVE-2019-3826
simpleclient-0.5.0.jar (pkg:maven/io.prometheus/simpleclient@0.5.0, cpe:2.3:a:prometheus:prometheus:0.5.0:*:*:*:*:*:*:*) : CVE-2019-3826

<dependency>
    <groupId>io.micrometer</groupId>
    <artifactId>micrometer-registry-prometheus</artifactId>
    <version>1.1.4</version>
</dependency>
<dependency>
    <groupId>io.prometheus</groupId>
    <artifactId>simpleclient</artifactId>
    <version>0.5.0</version>
</dependency>

The CVE-2019-3826 does affect the prometheus server software, but it does not affect the java (client) libraries.
@jeremylong jeremylong added this to the 5.0.0 milestone Jun 9, 2019
@janosmeszaros
Copy link

Hi,
I found that io.prometheus.jmx:collector is also reported with CVE-2019-3826. Maybe that's also related to this issue?

@lock lock bot locked and limited conversation to collaborators Jul 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report
Projects
None yet
Milestone
5.0.0
Development

No branches or pull requests
3 participants
@jeremylong @ST-DDT @janosmeszaros