The Plugins site and within the pluginManager Available page are reporting for OWASP Dependency-Check:
The current version of this plugin contains a vulnerability:
XXE vulnerability
The Security Notice says:
OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks
The GitHub site indicates there was a new release ( 5.1.2 ) yesterday which incorporates: PR #41: CVE 2021 43577.
As the plugin is presently up for adoption, I am grateful to kudos-dude for merging the fix and Weston Wieser for cutting the new release.
Unfortunately, there does not seem be an actual changelog for this plugin, so it’s hard to tell what’s changed release by release. Can someone confirm the release does address the CVE and if so, what was missed to remove the “The current version of this plugin contains a vulnerability” warning from the plugins site.
Is there merely a delay or is manual intervention required due to the lack of changelog or the release being merely a tag and not a “GitHub release” ?