Hi Team,
We used version of netty is 3.8.0.Final while running OWASP dependency check the CVE-2020-11612 has been reported in that OSSIndex mentioned as vulnerable and how you conclude the vulnerability is present before 4.1.46.Final.
However OSSIndex has mentioned vulnerable "The Sonatype security research team discovered that the vulnerability is present in all versions before 4.1.46.Final and versions 5.0.0.Alpha1 through 5.0.0.Alpha2, not just versions 4.1.x before 4.1.46 as the advisory states."
In NVD the vulnerable version for the CVE is Netty 4.1.x before 4.1.46.
Kindly check and confirm.
Identifiers
pkg:maven/io.netty/netty@3.8.0.Final
CPE
cpe:2.3:a:netty:netty:3.8.0:::::::*
Hi Team,
We used version of netty is 3.8.0.Final while running OWASP dependency check the CVE-2020-11612 has been reported in that OSSIndex mentioned as vulnerable and how you conclude the vulnerability is present before 4.1.46.Final.
However OSSIndex has mentioned vulnerable "The Sonatype security research team discovered that the vulnerability is present in all versions before 4.1.46.Final and versions 5.0.0.Alpha1 through 5.0.0.Alpha2, not just versions 4.1.x before 4.1.46 as the advisory states."
In NVD the vulnerable version for the CVE is Netty 4.1.x before 4.1.46.
Kindly check and confirm.
Identifiers
pkg:maven/io.netty/netty@3.8.0.Final
CPE
cpe:2.3:a:netty:netty:3.8.0:::::::*