[jira] [Closed] (PLUTO-802) Dependabot identifies false positive CVE-2021-26291

Neil Griffin (Jira) Thu, 07 Dec 2023 17:49:40 -0800


     [ 
https://issues.apache.org/jira/browse/PLUTO-802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Neil Griffin closed PLUTO-802.
------------------------------
    Resolution: Fixed

Upgraded to Maven 3.8.1 which is the patched version.

> Dependabot identifies false positive CVE-2021-26291
> ---------------------------------------------------
>
>                 Key: PLUTO-802
>                 URL: https://issues.apache.org/jira/browse/PLUTO-802
>             Project: Pluto
>          Issue Type: Task
>          Components: build system
>    Affects Versions: 3.1.1
>            Reporter: Neil Griffin
>            Assignee: Neil Griffin
>            Priority: Major
>             Fix For: 3.1.2
>
>
> Dependabot has falsely identified CVE-2021-26291 as a security vulnerability 
> due to a build system property named {{maven.version}} due to usage of the 
> following dependency:
> {code:java}
> <dependency>
>     <groupId>org.apache.maven</groupId>
>     <artifactId>maven-core</artifactId>
>     <version>2.0.5</version>
> </dependency> {code}
> However, at the time of this writing, [Maven Central does not list any 
> vulnerabilities for this 
> version|https://ossindex.sonatype.org/component/pkg:maven/org.apache.maven/maven-core@2.0.6].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Closed] (PLUTO-802) Dependabot identifies false positive CVE-2021-26291

Reply via email to