[GHSA-qppj-fm5r-hxr3] swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack #2860
Conversation
|
Hi there @Lukasa! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
joakime/advisory-improvement-2860
Can you expand on what you mean there? |
CVE-2023-4487 is a public CVE, not assigned to any specific product or project. What this means, is that every reference to CVE-2023-4487 on github (as text, not as a link) is now linking to this swift-nio-http2 advisory. (this is wrong) Examples in Discussions: Examples in Release Notes: Examples in Issues: Examples in PRs: |
|
We can generalize the text to read more generically if that's what you're asking for, but they do seem to be affected by this CVE. I don't see how this is |
|
The process at github for advisories is an overall good thing.
co-opting is probably a poor word choice. It's really "confusing the daylights out of other users" is what's going on.
This repo? as in https://github.com/github/advisory-database ? Will do. |
|
Filed as Issue #2869 |
|
Yeah, to clarify here we liaised with CloudFlare who specifically asked that affected implementations should use this CVE number, so we did. I think this suggests that GitHub may want to slightly tweak the implementation story, but if we hear feedback from CloudFlare that they'd like us to use a different number, we can of course do so. |
|
@Lukasa that's correct, your advisory here is meant to update the top level CVE-2023-44487 by adding the details from this Advisory to the "Known Affected Software Configurations". Which it has btw, see https://nvd.nist.gov/vuln/detail/CVE-2023-44487 (you appear to be Configuration 10 on that list at the time of this comment) I represent Eclipse Jetty, and we are Configuration 5. (We got our configuration into the CVE at the beginning, back on Oct 10th, but didn't do it via a Github Advisory) What isn't correct, is that this specific advisory is representing itself all over github as CVE-2023-44487. I started this PR as a change to this specific advisory to quit representing itself as CVE-2023-44487. |
|
@joakime apologies for the delay. We can still make changes to this advisory to make it read more generically, but ya the root cause is unlikely to be fixed quickly. Do you want to close this PR out and follow up on the other issue or would generalizing this advisory also help? |
|
@joakime. I think that might be a better place to start. We can always reopen this if need be, but I'll close this PR for now 😃 |
Updates
Comments
This advisory is co-opting the public CVE-2023-44487 found referenced everywhere on github now.
Those references should point to something like https://nvd.nist.gov/vuln/detail/CVE-2023-44487, not this Advisory.
Also, the CVSS score for the public CVE https://nvd.nist.gov/vuln/detail/CVE-2023-44487 is 7.5 High - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (not the low number on this advisory)
To make the rest of the github sane, please remove the CVE id from this advisory, or make this advisory have it's own unique CVE id.