Closed tomegantcs closed 1 month ago
👋 Hi @tomegantcs, I'm confused by this pull request. GHSA-2p57-rm9w-gvfp/CVE-2024-29415 has the vulnerable version range <= 2.0.1
because the fix for GHSA-78xj-cgh5-2h22/CVE-2023-42282 was incomplete. Therefore, 2.0.1
shouldn't be marked as a patched version because it contains a residual vulnerability. Is there something that I'm misunderstanding about the relationship between CVE-2024-29415 and CVE-2023-42282?
Hi @shelbyc. Okay so I'm misreading this alert. I'm thinking that the alert is because of GHSA-78xj-cgh5-2h22 (CVE-2023-42282) not GHSA-2p57-rm9w-gvfp (CVE-2024-29415). I'm just going to close this because I see what you're saying. Don't know if this is a good place for a suggestion but if the CVE ID and GHSA Id in the side bar were links I might have realized this without an explanation. Sorry to take up your time.
@tomegantcs Thanks for responding! With respect to your suggestion about the CVE/GHSA ID in the side bar containing links, I can pass along the feedback to my colleagues. 🙂
Updates
Comments Updated the versions based on https://github.com/advisories/GHSA-78xj-cgh5-2h22.