Nexus marks version with vulnerability patch as vulnerable

According to the package owner, System.Data.SqlClient 4.8.5 is the fix version for the vulnerability issue CVE-2022-41064 but Nexus still reports it. If the package is indeed safe then shouldn’t Nexus update this issue?

Source: .NET Information Disclosure Vulnerability · CVE-2022-41064 · GitHub Advisory Database · GitHub

Hi @valourie - thanks for reaching out. I reached out to our team about this. There was a patch released on version 4.8.5. However, upon further investigation, our security research team determined that there were some scenarios where users with “fixed” versions were still vulnerable, which is why Nexus still reports this. There is more information in Nexus Lifecycle that explains this further in an Advisory Deviation Notice associated with this issue.

1 Like