Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to them via secal...@redhat.com and ask them to update the entry (they have the ability to do this themselves and very quickly and easily without having to involve Mitre at all). Once that is done which should take only a day or two you can ask NIST to update the CPE list based on that change.
Cheers, Mark On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <cohei...@apache.org> wrote: > Hi all, > > A few months ago I raised the issue of a number of CVEs reported against > AMQ which have no "fix for" version. I have some time again to look into > this, and so I'd like to take them one by one. > > https://nvd.nist.gov/vuln/detail/CVE-2015-5183 > > "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on > cookies." > > The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182) > refers to the Hawt IO Console, and not anything in ActiveMQ. Although note > that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11 > release (https://issues.apache.org/jira/browse/AMQ-7322). > > As this CVE does not concern ActiveMQ at all, I would like to mail NIST > and request that they change the CPE score to stop referencing ActiveMQ, > and also update the description not to refer to ActiveMQ. > > It would be great if someone from the PMC could give me a +1 to this plan, > and I will be able to link to this thread when contacting NIST. > > Colm. >