False positives and residual vulnerabilities
This page contains vulnerabilities reported by scanners that are currently classified either as false positives or as residual vulnerabilities.
Each record documents the reason for the classification, the affected versions, and the planned remediation status.
| Identifier | Vulnerability | CVSS / EPSS | Risk factor | Reported in versions | Reason | Description | Scheduled to | Patched in support branch |
|---|---|---|---|---|---|---|---|---|
CVE-2024-47554 |
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. |
8.7 / 0.00131 |
High (by Docker Scout) |
4.8 / 4.9 / 4.10 |
False positive |
False positive report by Docker Scout scanner. The library is not used in the midPoint. |
-
Identifier - identifier or multiple identifiers (if the vulnerability is reported in multiple databases)
-
Vulnerability - Name of the vulnerability with a link to the relevant advisory or vulnerability documentation (if reported externally).
-
Reason - why the issue is reported here
-
False positive - this is false positive report.
-
Not affected - the vulnerability is present, but midPoint is not affected.
-
Accepted residual risk - the vulnerability is present, but the level is lower as previously reported and is accepted till removal.
-
Scheduled for implementation - already scheduled and will be implemented
-
-
Description - Short explanation of why the finding is not currently resolved and what its practical impact is.
-
Scheduled to - Version or versions in which the remediation is planned
-
Patched in support branch - Yes / No, including the relevant support branch versions when applicable.