[GHSA-2p57-rm9w-gvfp] ip SSRF improper categorization in isPublic

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.67k stars 305 forks source link

[GHSA-2p57-rm9w-gvfp] ip SSRF improper categorization in isPublic #4489

Closed tomegantcs closed 1 month ago

tomegantcs commented 1 month ago

Updates

Affected products

Comments Updated the versions based on https://github.com/advisories/GHSA-78xj-cgh5-2h22.

shelbyc commented 1 month ago

👋 Hi @tomegantcs, I'm confused by this pull request. GHSA-2p57-rm9w-gvfp/CVE-2024-29415 has the vulnerable version range <= 2.0.1 because the fix for GHSA-78xj-cgh5-2h22/CVE-2023-42282 was incomplete. Therefore, 2.0.1 shouldn't be marked as a patched version because it contains a residual vulnerability. Is there something that I'm misunderstanding about the relationship between CVE-2024-29415 and CVE-2023-42282?

tomegantcs commented 1 month ago

Hi @shelbyc. Okay so I'm misreading this alert. I'm thinking that the alert is because of GHSA-78xj-cgh5-2h22 (CVE-2023-42282) not GHSA-2p57-rm9w-gvfp (CVE-2024-29415). I'm just going to close this because I see what you're saying. Don't know if this is a good place for a suggestion but if the CVE ID and GHSA Id in the side bar were links I might have realized this without an explanation. Sorry to take up your time.

shelbyc commented 1 month ago

@tomegantcs Thanks for responding! With respect to your suggestion about the CVE/GHSA ID in the side bar containing links, I can pass along the feedback to my colleagues. 🙂