[FP]: webpack@4.46.0 CVE-2023-28154 #5933
Comments
|
Npm Coordinates npm -i webpack@4.46.0Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5933
]]></notes>
<packageUrl regex="true">^pkg:npm/webpack@.*$</packageUrl>
<cpe>cpe:/a:webpack.js:webpack</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6178615557 |
|
Npm Coordinates npm -i webpack@4.46.0Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5933
]]></notes>
<packageUrl regex="true">^pkg:npm/webpack@.*$</packageUrl>
<cpe>cpe:/a:webpack.js:webpack</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6178621246 |
|
4.46 is currently labeled as vulnerable to the CVE. This is either a lack of version-info linking at Sonatype, or their researchers consider older versions vulnerable as well. You should raise your concerns with Sonatype. See https://ossindex.sonatype.org/component/pkg:npm/webpack@4.46.0 |
|
Thanks, I'll do that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:npm/webpack@4.46.0
CPE
cpe:2.3:a:webpack.js:webpack:4.46.0:::::::*
CVE
CVE-2023-28154
ODC Integration
None
ODC Version
8.4.0
Description
CVE reports "Webpack 5 before 5.76.0", but the proper range is 5.0.0 -> 5.76.0, Webpack 4 is unaffected.
See: webpack/webpack#16500 (comment)
The text was updated successfully, but these errors were encountered: