[ https://issues.apache.org/jira/browse/AMQ-8984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17573860#comment-17573860 ]
Justin Bertram edited comment on AMQ-8984 at 8/1/22 5:12 PM: ------------------------------------------------------------- >From what I can tell CVE-2015-3208 is completely bogus. First, it's being reported against {{org.apache.activemq/activemq-broker}} (i.e. ActiveMQ "Classic") when the related code is in the code-base of ActiveMQ Artemis. These two code-bases are independent. CVEs in one don't necessary impact the other. Lucas already pointed out this basic fact, of course, but there's more... Second, the code in question was *never released*. The problematic code was added during the process of donating the HornetQ code-base to ActiveMQ and then the problem was resolved before that code was released as ActiveMQ Artemis 1.0. Third, the status of the referenced issue at Red Hat is {{CLOSED WONTFIX}}. I don't know how this actually became a CVE, but it's invalid in my opinion. I'll see if it's possible it can just be removed from the database. was (Author: jbertram): >From what I can tell CVE-2015-3208 is completely bogus. First, it's being reported against {{org.apache.activemq/activemq-broker}} (i.e. ActiveMQ "Classic") when the related code is in the code-base of ActiveMQ Artemis. Lucas already pointed this out, of course, but there's more... Second, the code in question was *never released*. The problematic code was added during the process of donating the HornetQ code-base to ActiveMQ and then the problem was resolved before that code was released as ActiveMQ Artemis 1.0. Third, the status of the referenced issue at Red Hat is {{CLOSED WONTFIX}}. I don't know how this actually became a CVE, but it's invalid in my opinion. I'll see if it's possible it can just be removed from the database. > Fix or challenge CVE-2015-3208 reported by ossindex.sonatype.org > ---------------------------------------------------------------- > > Key: AMQ-8984 > URL: https://issues.apache.org/jira/browse/AMQ-8984 > Project: ActiveMQ > Issue Type: Bug > Components: Broker > Affects Versions: 5.16.3, 5.16.4, 5.16.5 > Reporter: Sven-Jørgen Karlsen > Assignee: Jean-Baptiste Onofré > Priority: Minor > > I get CVE-2015-3208 reported against activemq-broker 5.16.3-5 when running > maven-enforcer-plugin with the banVulnerable rule. The vulnerability can also > be seen on ossindex.org: > [https://ossindex.sonatype.org/vulnerability/CVE-2015-3208?component-type=maven&component-name=org.apache.activemq%2Factivemq-broker&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1] > > It looks rather dated, is it some kind of fault in Sonatype's database? I > have seen several odd occurrences of old vulnerabilities in ossindex.org the > last month or so, after the "breaking changes" being working on in the OSS > Index data. > -- This message was sent by Atlassian Jira (v8.20.10#820010)