Closed ggallo909 closed 1 year ago
No.
Not only did the reporting party create their own advisory and make it public before the industry standard 30 days after the fix has been released, they made the affected version range too broad even after we told them to narrow it.
I've made a PR here to fix it that will hopefully get merged. https://github.com/github/advisory-database/pull/2379
I have to admit, having the entire Craft CMS 3.x version completely blocked by erroneous advisories is getting tiresome. This is now the third instance I'm aware of where an advisory has marked all versions of Craft CMS 3 incorrectly.
I appreciate this isn't a Craft CMS/Pixel and Tonic issue, but there has to be safeguards to not just nuke any entire major composer dependency without some form of verification or validation. It sounds like the reporting party didn't even follow responsible disclosure and ignored guidance too. That is frankly shameful, especially for a company like Tenable.
Maybe Tenable should look at themselves when they call out others like Microsoft for irresponsible policy.
@jamesmacwhite Agree 100%. The whole security/bounty/cve reporting ecosystem is rife with problems, especially for vendors that are actively trying to do the right thing for their users. I wish I had some solutions.
What happened?
Description
Got a notice by composer that warns against the moderate severity vulnerability https://github.com/advisories/GHSA-7x94-jx75-3gh6 for all versions < 4.4.12 Is Craft 3 affected by this vulnerability? Thanks.
Craft CMS version
3.8.13
PHP version
No response
Operating system and version
No response
Database type and version
No response
Image driver and version
No response
Installed plugins and versions
-