SNMP4J libraries are currently () reported as:
The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet.
| CVSS: | 7.5 |
| URL: | CVE-2015-5621 |
| CWE: | CWE-19 Data Handling |
It seems that the OWASP dependency check simply looks for the keyword "SNMP" in JAR and package names (which is part of SNMP4J). That is of course too simple and really bad quality. A bug report has been created at OWASP dependency check:
https://github.com/jeremylong/DependencyCheck/issues/1248
False Positive!
SNMP4J and any related APIs (i.e. SNMP4J-Agent, SNMP4J-AgentX, SNMP4J-SMI-PRO, SNMP4J-Model, ...) have no dependencies to NET-SNMP and they do not have any code in common.