You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Bryan Pendleton (Jira)" <ji...@apache.org> on 2022/03/21 17:12:00 UTC
[jira] [Commented] (DERBY-7135) Does derby 10.14.2.0 contain the CVE-2020-13949 vulnerability?
[ https://issues.apache.org/jira/browse/DERBY-7135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17510018#comment-17510018 ]
Bryan Pendleton commented on DERBY-7135:
----------------------------------------
This seems like a flaw in the scanning tool. Apache Derby does not include any source code from Apache Thrift and I have not heard of any reports of CVE-2020-13949 for Apache Derby.
Perhaps you could contact the vendor of the scanning tool and ask them to help you figure out why your copy of derbynet.jar is being flagged as containing this CVE?
> Does derby 10.14.2.0 contain the CVE-2020-13949 vulnerability?
> --------------------------------------------------------------
>
> Key: DERBY-7135
> URL: https://issues.apache.org/jira/browse/DERBY-7135
> Project: Derby
> Issue Type: Bug
> Affects Versions: 10.14.2.0
> Reporter: JenickLee
> Priority: Blocker
> Attachments: Snipaste_2022-03-22_00-43-37.png, Snipaste_2022-03-22_00-51-12.png
>
>
> Use a security tool to scan the derby 10.14.2.0 installation package. *The result shows that derbynet.jar contains the CVE-2020-13949 vulnerability.* The vulnerability is related to Hive and Thrift, but no reference is found in the derby 10.14.2.0 source code.
> *Is it a false positive? Which of the following application scenarios will be affected if the vulnerability is involved?*
> For details about the scanning result, see the attachment.
> Vulnerability Details:
> [https://nvd.nist.gov/vuln/detail/CVE-2020-13949]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)