[
https://issues.apache.org/jira/browse/FILEUPLOAD-361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18005246#comment-18005246
]
Gary D. Gregory commented on FILEUPLOAD-361:
--------------------------------------------
[~dmoebius]
I sent an email and CC'd our dev list:
[https://lists.apache.org/thread/kbl1mpx6bvfs5xj1w073ddspw92gs4ks]
> NVD still lists fileupload 2.0.0-M4 as vulnerable
> -------------------------------------------------
>
> Key: FILEUPLOAD-361
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-361
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 2.0.0-M4
> Reporter: Dirk Moebius
> Priority: Major
>
> The NVD still lists commons-fileupload-2.0.0-M4 as vulnerable:
> [https://nvd.nist.gov/vuln/detail/CVE-2025-48976#match-16814623]
> although the CVE is officially reported as fixed for M4:
> [https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12]
> The NVD REST services lists M4 as vulnerable:
> [https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-48976]
> It looks like this is more an issue for NVD than for Apache, but if possible
> please send correct information to NVD so that they can fix this issue.
> This is a serious problem for us because of corporate security constraints we
> are forced to add hundreds of OWASP suppressions to various code bases due to
> this false positive.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
