MindaugasBernatavicius
commented
1 week ago Indeed, this affects pip-audit results and delays "time to resolution" metrics in environments that track this for auditing purposes.
Issue alias is listed as "fix available": https://osv.dev/vulnerability/GHSA-hxwh-jpp2-84pm . PYSEC-2024-71 has it's import datasource as: https://github.com/pypa/advisory-database/blob/main/vulns/flask-cors/PYSEC-2024-71.yaml from pypa advisory. Pypa say that they use nist feeds https://nvd.nist.gov/vuln/data-feeds and this tool: https://github.com/google/osv.dev/tree/master/vulnfeeds - to match vulnerabilities by ids or something like that.
Does this need to be fixed upstream in Pypa advisory repo? Or even the original vuln report: https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d ?
hogo6002
github-actions[bot]
andrewpollock
It looks like this issue was solved in fix version: 5.0.0 but this vulnerability is still labelled as 5.* as an affected version.
Additional context Looking at the flask-cors last 5.0.0 release, it looks to have addressed this issue:
Should this vulnerability be marked as having a fix version? Maybe this is an issue with the project itself and not a data integrity issue?