[GHSA-344f-f5vg-2jfj] Potential remote code execution in Apache Tomcat#7520
Conversation
github-actions
Bot
changed the base branch from
main
to
aruneko/advisory-improvement-7520
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory for CVE-2020-9484 (Apache Tomcat) to reflect additional affected Maven artifacts.
Changes:
- Updates the advisory
modifiedtimestamp. - Adds
org.apache.tomcat.embed:tomcat-embed-coreto theaffectedlist with version ranges for Tomcat 7/8/9/10 lines.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "introduced": "9.0.0" | ||
| }, | ||
| { | ||
| "fixed": "9.0.35" | ||
| } |
There was a problem hiding this comment.
The new affected range for org.apache.tomcat.embed:tomcat-embed-core starts at 9.0.0, but the advisory details (and other Tomcat advisories in this repo) use milestone versions for Tomcat 9 (e.g., 9.0.0.M1). Using introduced: 9.0.0 will exclude affected 9.0.0.M* builds. Consider changing the introduced event to 9.0.0.M1 (to mirror the wording in details: 9.0.0.M1 to 9.0.34).
| "introduced": "8.0.0" | ||
| }, | ||
| { | ||
| "fixed": "8.5.55" | ||
| } |
There was a problem hiding this comment.
This new range mixes Tomcat 8.0 and 8.5 lines: introduced: 8.0.0 with fixed: 8.5.55. That implies versions >= 8.0.0 and < 8.5.55, which is not the intended affected set and conflicts with the details text (8.5.0 to 8.5.54). The introduced version should likely be 8.5.0 (and keep fixed: 8.5.55).
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
|
Hi, just checking in on the review status. I'd like to keep this PR open while waiting for feedback. Please let me know if there's anything I should update on my end. Thanks! |
advisory-database
Bot
merged commit 3ac0bfc
into
aruneko/advisory-improvement-7520
|
Hi @aruneko! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
fix affected packages depends on patch codes