false positive in java project if dependency has word 'Interact' in pom i.e. pom of com.amazonaws:aws-java-sdk-core:1.11.467

[vashistha]

dependency check mvn clean org.owasp:dependency-check-maven:4.0.0:check returns 1 high, 2 medium and 1 low severity vulnerability if dependency pom contains word 'interact' anywhere such as in <name> or even in <description> element.

Reported CVE are CVE-2006-1642(Low), CVE-2006-1643(High), CVE-2006-1644(Medium) & CVE-2007-4177(Medium) for following CPE:
CPE
cpe:/a:interact:interact:2.1.1 and all previous versions

Description

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

SQL injection vulnerability in login.php in Interact 2.1.1 allows remote attackers to execute arbitrary SQL commands via the user_name parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party.
BID - 17385
VUPEN - ADV-2006-1244
XF - interact-login-sql-injection(25653)
Vulnerable Software & Versions: (show all)

cpe:/a:interact:interact:2.1.1 and all previous versions

Reproducing the false positive vulnerability

Create maven project with pom containing word 'interact' in <description> element. example - https://github.com/softwaresecurity/word-ws-dummy-project.git
Build the project mvn clean install
Add this project as dependency to another project. example - https://github.com/softwaresecurity/owasp-false-positives.git
Run dependency check mvn clean org.owasp:dependency-check-maven:4.0.0:check on later project.

[TobiX]

This is probably #1580

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.