Incorrect identification of vulnerability CVE-2021-43980
Summary
Dependency scanning is flagging the following packages as having vulnerability related to CVE-2021-43980:
org.apache.tomcat.embed/tomcat-embed-core:9.0.64
org.apache.tomcat.embed/tomcat-embed-websocket:9.0.64
But CVE-2021-43980 defines the following as the versions affected:
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M12
Apache Tomcat 10.0.0-M1 to 10.0.18
Apache Tomcat 9.0.0-M1 to 9.0.60
Apache Tomcat 8.5.0 to 8.5.77
Steps to reproduce
Create a new Java Spring Boot project using Spring Boot version 2.7.1, and add spring-boot-starter-web as a dependency.
This package has a transient dependency to the above reported Apache packages.
Create a CI pipeline which runs a dependency scan.
What is the current bug behavior?
Dependency scan will complete and incorrectly report a Medium Severity vulnerability with the Identifier CVE-2021-43980 detected in the above package versions.
What is the expected correct behavior?
No vulnerability should be reported for the above package versions as they are outside the range of the affected package versions.
Output of checks
Results of GitLab environment info
GitLab Enterprise Edition 15.4.0-ee