search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.45k stars 173 forks source link

GHSA-c5pj-mqfh-rvc3 Still in osv #2332

Open zhangzhenyu2 opened 1 week ago

zhangzhenyu2 commented 1 week ago

GHSA-c5pj-mqfh-rvc3 "Runc allows an arbitrary systemd property to be injected" is a misunderstood vulnerability. Users do NOT need to update runc

https://github.com/opencontainers/runc/issues/4263

but https://storage.googleapis.com/osv-vulnerabilities/index.html?prefix=Go/ Still in osv

michaelkedar commented 4 days ago

The JSON record for GHSA-c5pj-mqfh-rvc3 has it marked as withdrawn: 

"id": "GHSA-c5pj-mqfh-rvc3",
"modified": "2024-06-05T18:30:34Z",
"published": "2024-04-26T06:30:34Z",
"withdrawn": "2024-04-30T09:37:23Z",

I believe it is intended that we export withdrawn vulnerabilities.

Edit: Found the relevant FAQ entry: https://google.github.io/osv.dev/faq/#how-does-osvdev-handle-withdrawn-records