search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.75k stars 336 forks source link

The version range of GHSA-pv7h-hx5h-mgfj is inconsistent with CVE-2022-25845 #4965

Closed zhangzhenyu2 closed 3 weeks ago

zhangzhenyu2 commented 1 month ago

GHSA-pv7h-hx5h-mgfj version range:(>= 1.2.25, < 1.2.83)

CVE-2022-25845 version range:(<1.2.83)

Which one is right?

https://osv.dev/vulnerability/GHSA-pv7h-hx5h-mgfj (>= 1.2.25, < 1.2.83)

https://www.cve.org/CVERecord?id=CVE-2022-25845 (<1.2.83)

This is not a problem, I want our methods to be more accurate

JonathanLEvans commented 1 month ago

Hi @zhangzhenyu2, we added the lower bound based on a community contribution. The vulnerability is in the autoType check feature, which was introduced in 1.1.25 via https://github.com/alibaba/fastjson/commit/90af6aadfa9be7592fdc8e174458ddaebb2b19c4#diff-f140f6d9ec704eccb9f4068af9d536981a644f7d2a6e06a1c50ab5ee078ef6b4R790 and fixed in https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15.