[
https://issues.apache.org/jira/browse/DERBY-7135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17510018#comment-17510018
]
Bryan Pendleton commented on DERBY-7135:
----------------------------------------
This seems like a flaw in the scanning tool. Apache Derby does not include any
source code from Apache Thrift and I have not heard of any reports of
CVE-2020-13949 for Apache Derby.
Perhaps you could contact the vendor of the scanning tool and ask them to help
you figure out why your copy of derbynet.jar is being flagged as containing
this CVE?
> Does derby 10.14.2.0 contain the CVE-2020-13949 vulnerability?
> --------------------------------------------------------------
>
> Key: DERBY-7135
> URL: https://issues.apache.org/jira/browse/DERBY-7135
> Project: Derby
> Issue Type: Bug
> Affects Versions: 10.14.2.0
> Reporter: JenickLee
> Priority: Blocker
> Attachments: Snipaste_2022-03-22_00-43-37.png,
> Snipaste_2022-03-22_00-51-12.png
>
>
> Use a security tool to scan the derby 10.14.2.0 installation package. *The
> result shows that derbynet.jar contains the CVE-2020-13949 vulnerability.*
> The vulnerability is related to Hive and Thrift, but no reference is found
> in the derby 10.14.2.0 source code.
> *Is it a false positive? Which of the following application scenarios will be
> affected if the vulnerability is involved?*
> For details about the scanning result, see the attachment.
> Vulnerability Details:
> [https://nvd.nist.gov/vuln/detail/CVE-2020-13949]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
