[GHSA-88g2-r9rw-g55h] gitoxide-core does not neutralize special characters for terminals

[EliahKagan]

Updates

• Affected products
• CVSS v3

Comments This low-risk vulnerability, tracked in https://github.com/GitoxideLabs/gitoxide/issues/1534, has not yet been patched, but new versions of the affected crates gitoxide-core and gitoxide have been released. This edit bumps their version upper bounds accordingly, to reflect that this is unpatched in all existing versions of those crates.

I have already made this change in the repo-level GHSA advisory. No corresponding change is required in the NVD entry or the RUSTSEC advisory, since those do not specify explicit affected-version ranges. So this global GHSA is the only thing that (still) needs to be updated for this.

Although this is not the kind of vulnerability that is likely to go away due to seemingly unrelated changes, to make sure that this edit is correct I have verified experimentally that the vulnerability is still present with the new versions, and that the proof-of-concept procedure in this advisory still succeeds at demonstrating it.

This lists CVSS v3 as having been edited here, but I did not modify that. I believe that is due to changes that have been made in the advisory database itself, and that the same CVSS base scores will be listed both before and after this revision. So I am not worried about that.

(Sometimes, I have observed that edits to advisories that contain complex constructions involving backslashes--including in Markdown code blocks--have resulted in the introduction of additional backslashes, which cause the content to become incorrect, to be made when the changes from the PR are merged, even though the incorrect material has not appeared in the revisions themselves. #4777 details the most recent time I have observed this to occur. My hope is that this will not happen here, since this is only editing metadata. However, I will watch for it and, if it arises, then I will either attempt to fix it or open an issue to request help with it, as was successful in #4777.)

[github]

Hi there @Byron! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[JonathanLEvans]

@EliahKagan, thank you for your contribution. The changes will be approved.

For the future, if you make changes to the repo-level GHSA, we will automatically be notified of the change so you can save time by not making the additional pull request.

This lists CVSS v3 as having been edited here, but I did not modify that.

This is currently a limitation of the request form. We will ensure the CVSS score is preserved on our end.

Sometimes, I have observed that edits to advisories that contain complex constructions involving backslashes--including in Markdown code blocks--have resulted in the introduction of additional backslashes

Thank you for making me aware of this. I will do additional investigation.

[advisory-database[bot]]

Hi @EliahKagan! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[EliahKagan]

For the future, if you make changes to the repo-level GHSA, we will automatically be notified of the change so you can save time by not making the additional pull request.

Thanks--and sorry I didn't reply earlier! For edits that I expect and intend to apply the same way to a repo-level GHSA and its corresponding global GHSAs, I'll edit only the repo-level GHSA.