On 19.01.24 16:24, Brian Demers wrote:
We are looking into getting this corrected. Thanks for letting us know!
Looks like you were partially successful, thanks.https://www.cve.org/CVERecord?id=CVE-2023-46749 now correctly states "1.13.0" in the description and it's got the affected version range formalized ("affected from 0 before 1.13.0"). https://nvd.nist.gov/vuln/detail/CVE-2023-46749 also updated the description but it still misses the "Known Affected Software Configurations" section.
Anyway, as Sonatype OSS Index now downgraded it to 5.9, this is all less critical. No idea why they initially marked it as HIGH.
-- Marcel Stör, https://frightanic.com My PGP key: https://frightanic.com/pgp/ Twitter: https://twitter.com/frightanic
OpenPGP_signature.asc
Description: OpenPGP digital signature
