search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.66k stars 304 forks source link

Missing advisories for npm packages from CVE-2024-4067 #4548

Open aarongoldenthal opened 1 week ago

aarongoldenthal commented 1 week ago

The npm packages braces and micromatch have been reported as susceptible to CVE-2024-4067. While the CVE and advisory are officially "unreviewed", the vulnerabilities have been clearly established and reported to the maintainers with no response here and here.

Given the current state of NVD data and the lengthy backlog of CVE's needing review, this advisory should be promoted and mapped to the applicable npm packages given the additional supporting data (it is currently not mapped to any npm packages, which is inaccurate).

aarongoldenthal commented 2 days ago

After further review, while there seems to be some questions still floating around about the viability of this CVE, the packages themselves were updated to protect against it, so not sure why they should not be mapped to this advisory.