Hello,
Over 2 weeks ago CVE-2023-46604 with a critical vulnerability was
published, but I wonder if this was done in the proper way. When looking
at Maven central, all versions are marked with 0 vulnerabilities, which
is not correct:
https://central.sonatype.com/artifact/org.apache.activemq/activemq-broker/versions
I suppose this is also the reason dependency-check does not see any
issues with the old ActiveMQ version. That means when people are not
reading all CVE's or subscribed to this mailing list, they are still
unaware of this critical vulnerability.
Shouldn't this be fixed, so more people become aware they are running
vulnerable software?
Cheers,
Wim
