CVE-2023-25013 and firebase/php-jwt

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily

MIT License

2.7k stars 105 forks source link

CVE-2023-25013 and firebase/php-jwt #106

Closed notFloran closed 1 year ago

notFloran commented 1 year ago

The commit https://github.com/Roave/SecurityAdvisories/commit/df155ba3057743b818f94889528787f145992478 is associated to the CVE-2023-25013 (package in2code/femanager) but it changes the constraint of firebase/php-jwt from <2 to <6.

I don't see any relation between these 2 packages, so I think this is an error.

hhofstaetter commented 1 year ago

There is a CVE for php-jwt < 6: https://www.cve.org/CVERecord?id=CVE-2021-46743

But its a different one and its 1 year old.

So it seems the reference in the commit is wrong, but the content of the commit is right.

notFloran commented 1 year ago

There is a CVE for php-jwt < 6: https://www.cve.org/CVERecord?id=CVE-2021-46743

But its a different one and its 1 year old.

So it seems the reference in the commit is wrong, but the content of the commit is right.

OK thanks, I didn't see that.