Closed myHerbDev closed 2 months ago
Hi there @jackwilson323! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.
This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory
Thanks for submitting this PR @myHerbDev. I think changing S:U
to S:C
is sensible.
At the same time, I'm considering if it's worth updating AC:L
to AC:H
. Based on the CVSS metric value definitions:
An attacker couldn't reliably exploit this against any Next.js app on the affected versions, they would require knowledge of which routes are performing rewrites. While this could (for some apps) be enumerated from open source code, I don't believe that's reliable enough and would start to creep into the definition of "measurable amount of effort in preparation..." from the AC:H metric.
Let me know your thoughts!
Apologies for the delay on getting to this. Is this still something you're open to @jackwilson323? It looks like @myHerbDev might not be engaged here.
Hey @darakian, I'm open to adjusting the CVSS to ensure the metrics are reflected correctly, but the actual benefit of doing so is somewhat limited as it would result in the same overall CVSS score as shown here.
I mean the CVSS score is more than just a number. Users can filter on the specific components to better sort their alert flow, but ya that is also not a game changer. I do like the changes myself, so if you're ok with it I'll close this PR out as the myHerbDev seems to be afk or something and I'll make the changes manually on our end.
Sounds good to me!
Done and done 👍
Updates
Comments Suggestions are submitted as a pull request to be reviewed by the GitHub Security Curators team.