[Prisma Cloud] False Positive detection CVE-2023-44794 on spring_framework including spring-web and spring-core

[Prisma Cloud] False Positive detection CVE-2023-44794 on spring_framework including spring-web and spring-core

2718
Created On 01/25/24 06:40 AM - Last Modified 04/30/24 10:04 AM


Symptom


  • Prisma Cloud Defender is flagging spring_framework including spring-web and spring-core with Critical vulnerability CVE-2023-44794 and this is a False Positive

Environment


  • Prisma Cloud Compute
  • spring_framework

Cause


  • NVD CVEs with "Running On/With" CPEs (https://nvd.nist.gov/vuln/vulnerability-detail-pages) are not used by our feeds right now
  • This type of CVEs contains both vulnerable and non-vulnerable (dependency) CPEs
  • Dependency CPEs narrow down the scope of the vulnerability by specifying the environment where this CVE is applicable, e.g. OS (windows, linux)

Resolution


  • Ignore the vulnerability, or add this CVE with the a certain package name into exception list by utilising the Tag feature
Reference: Tags

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xhc2CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail