I believe you're looking at the wrong Maven dependency. The two vulnerable dependencies are:
- activemq-client: https://central.sonatype.com/artifact/org.apache.activemq/activemq-client/versions - activemq-openwire-legacy: https://central.sonatype.com/artifact/org.apache.activemq/activemq-openwire-legacy/versions If you look at those you can see that the vulnerability is listed. Justin On Mon, Nov 13, 2023 at 9:11 AM Wim van Ravesteijn <raveste...@olisa.eu> wrote: > Hello, > > Over 2 weeks ago CVE-2023-46604 with a critical vulnerability was > published, but I wonder if this was done in the proper way. When looking > at Maven central, all versions are marked with 0 vulnerabilities, which > is not correct: > > > https://central.sonatype.com/artifact/org.apache.activemq/activemq-broker/versions > > I suppose this is also the reason dependency-check does not see any > issues with the old ActiveMQ version. That means when people are not > reading all CVE's or subscribed to this mailing list, they are still > unaware of this critical vulnerability. > > Shouldn't this be fixed, so more people become aware they are running > vulnerable software? > > Cheers, > > Wim > >
