New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-p26g-97m4-6q7c] Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies #2404
[GHSA-p26g-97m4-6q7c] Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies #2404
Conversation
Hi there @jmcc0nn3ll! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
@darakian - Just to be clear compared to #2393, can you help me understand what I should do differently? Should I try to update jetty-server's advisory directly? https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217 - here's the tag that shows that the CVE was fixed in that release jetty/jetty.project@jetty-9.4.50.v20221201...jetty-9.4.51.v20230217 - here's the diff from the previous release jetty/jetty.project#9352 - here's the PR that's mentioned in this advisory https://central.sonatype.com/artifact/org.eclipse.jetty/jetty-server/9.4.51.v20230217 - here's the artifact from Maven Central. |
@jeffalder this is perfect from my perspective. Having a release tag which links back to the root issue is 👍 |
c401ad1
into
jeffalder/advisory-improvement-2404
Hi @jeffalder! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
I see; the issue is there is some tooling that is not picking up the nuance of 9.4.51 with that v## date at the end. Do I have that correct? |
I suppose you can put it that way. The source advisory that we ingested didn't reference the v## date at the end and it seems that during manual review of the advisory we missed that. |
Sorry, just a bit confused with the process here since I got notified of it. I have no issue with this change or the other in #2393, it is a good clarification, and we'll try and keep it in future CVEs. Do you know if I need to do anything here? cheers, |
All good. We have an automated system to ping authors so they're at least in the loop about changes to how the global version of their advisory is being altered. Nothing needed on your end 😃 |
Perfect, thanks for keeping us in the loop; I appreciate it! |
Updates
Comments
Similar fix as #2393; The correct version is already specified in the details markdown.