Help reconciling GitHub General Advisory with Repo Specific Advisory

[georgebearden]

I've been trying to track down why a vulnerability is not being reported in my security tooling, and believe I've finally found the root cause and am looking for guidance as to why this discrepancy exists.

When I look at this vulnerability reported in the uuid repo it shows the following affected versions:

<11.1.1
12.0.0
13.0.0

However, when I look at the general vulnerability reported under the GitHub Advisory Database it shows the following affected versions:

>= 11.0.0, < 11.1.1
>= 12.0.0, < 12.0.1
>= 13.0.0, < 13.0.1

Originally looking at only the first set of affected versions, I spent a few hours trying to track down where in my security tooling the break down was happening that failed to identity an instance of uuid v10 as having a vulnerability. By pure luck, I came across the second set of affected versions, which makes more sense.

Any help/insights are much appreciated.

[VanessaHenderson]

Have the exact same question! I'm wondering regarding the 3x range and if they weren't added to the original description because they are "deprecated". The versions are explicitly called out as not rejecting and sending an error and even in the GitHub title...
v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

[broofa]

The vulnerability as reported in this repo is correct. All versions < 11.1.1 have this vulnerability. This includes major versions 3.x->10.x. (Affected APIs were not present in uuid prior to uuid@3).

Versions < 11 are no longer supported, so no patches for them.

Patches have been released for versions 11-13. Version 14 was cut after the vulnerability was fixed, fwiw.

Note: I've updated the security advisory to clarify that "v3, v5, v6" refers to API methods, not release versions.

---

BTW, I don't actually know how to edit the General Vulnerability you've linked to. I receive notices when other people submit edits to it, that I can comment on, but I'm not sure if I even have the ability to edit it as the source of the initial report. 🤷

[VanessaHenderson]

Okay; To clarify all versions of the npm module pre-11.1.1 are vulnerable. I can see that the other one has been updated to match now! Thanks for the clarification

[georgebearden]

Thank you @broofa - My security scanning software is now correctly flagging older versions of the package has having the vulnerability. Cheers and feel free to close this as resolved!