Dirk Moebius created FILEUPLOAD-361:
---------------------------------------
Summary: NVD still lists fileupload 2.0.0-M4 as vulnerable
Key: FILEUPLOAD-361
URL: https://issues.apache.org/jira/browse/FILEUPLOAD-361
Project: Commons FileUpload
Issue Type: Bug
Affects Versions: 2.0.0-M4
Reporter: Dirk Moebius
The NVD still lists commons-fileupload-2.0.0-M4 as vulnerable:
[https://nvd.nist.gov/vuln/detail/CVE-2025-48976#match-16814623]
although the CVE is officially reported as fixed for M4:
[https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12]
The NVD REST services lists M4 as vulnerable:
[https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-48976]
It looks like this is more an issue for NVD than for Apache, but if possible
please send correct information to NVD so that they can fix this issue.
This is a serious problem for us because of corporate security constraints we
are forced to add hundreds of OWASP suppressions to various code bases due to
this false positive.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
