You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are facing a problem of false positives for multiple versions of a package. These false positives only occur for the NVD CVE. The Github advisories alias is correctly associated with the vulnerable versions only.
This is the description of the vulnerability :
Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function https://nvd.nist.gov/vuln/detail/CVE-2024-21537
For example, here is a false positive :
But in another project :
This is what confuses me. The NVD vulnerability is the only one producing false positives. Is here some reason ? Why does one vulnerability produce false positives when its alias doesn't ?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello,
We are facing a problem of false positives for multiple versions of a package. These false positives only occur for the NVD CVE. The Github advisories alias is correctly associated with the vulnerable versions only.
This is the description of the vulnerability :
For example, here is a false positive :
But in another project :
This is what confuses me. The NVD vulnerability is the only one producing false positives. Is here some reason ? Why does one vulnerability produce false positives when its alias doesn't ?
Beta Was this translation helpful? Give feedback.
All reactions