[GHSA-cr7j-rwmv-vgch] aimeos-core arbitrary file uopload vulnerability

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.72k stars 321 forks source link

[GHSA-cr7j-rwmv-vgch] aimeos-core arbitrary file uopload vulnerability #4544

Closed aimeos closed 3 months ago

aimeos commented 3 months ago

Updates

Affected products
CVSS

Comments Duplicate of https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c Affected versions are only 2024.04.x below 2024.04.5

shelbyc commented 3 months ago

👋 Hi @aimeos, I see that this vulnerability represented by two advisories, GHSA-cr7j-rwmv-vgch and GHSA-rhc2-23c2-ww7c, also has two CVEs. MITRE issued CVE-2024-36811. GitHub issued CVE-2024-37295 when a CVE was requested for GHSA-rhc2-23c2-ww7c. Would you prefer to keep CVE-2024-36811 from MITRE or CVE-2024-37295 from GitHub? Once I know which CVE you prefer to keep, I will withdraw the duplicate advisory and reach out to MITRE to initiate the CVE deduplication process.

aimeos commented 3 months ago

We would like to keep https://github.com/advisories/GHSA-rhc2-23c2-ww7c from GitHub. Thanks a lot!

advisory-database[bot] commented 3 months ago

Hi @aimeos! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

shelbyc commented 3 months ago

@aimeos https://github.com/advisories/GHSA-cr7j-rwmv-vgch has been withdrawn as a duplicate of https://github.com/advisories/GHSA-rhc2-23c2-ww7c, and I've reached out to MITRE via cveform.mitre.org to request that CVE-2024-36811 be marked as a duplicate of CVE-2024-37295. Thanks for reaching out to let us know about the duplicate advisory and duplicate CVE!