[GHSA-g88v-2j67-9rmx] Fess has Insecure Temporary File Permissions #5663
Conversation
|
Hi there @marevol! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull Request Overview
This pull request updates the CVSS vector string and severity rating for the GHSA-g88v-2j67-9rmx advisory to address formatting violations and reflect an accurate vulnerability assessment.
- Updated the CVSS vector string by removing the trailing slash to comply with the specification
- Adjusted the severity rating from LOW to MODERATE based on updated analysis
Comments suppressed due to low confidence (2)
advisories/github-reviewed/2025/05/GHSA-g88v-2j67-9rmx/GHSA-g88v-2j67-9rmx.json:14
- The trailing slash has been removed from the CVSS vector string to comply with the official specification; please confirm that the threat metrics have been excluded as intended.
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
advisories/github-reviewed/2025/05/GHSA-g88v-2j67-9rmx/GHSA-g88v-2j67-9rmx.json:60
- Verify that the severity rating change from LOW to MODERATE accurately reflects the vulnerability assessment and that all documentation is updated accordingly.
"severity": "MODERATE"
github-actions
bot
changed the base branch from
main
to
yusuke-koyoshi/advisory-improvement-5663
advisory-database
bot
merged commit f9ae56c
into
yusuke-koyoshi/advisory-improvement-5663
|
Hi @yusuke-koyoshi! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
Hi @yusuke-koyoshi, I merged the PR because I agree that the trailing However, with respect to the threat metric, I'm interested in knowing why you don't want |
|
Thank you for merging. Environment Metrics and Threat Metrics are the responsibility of users who use CVSS. https://www.first.org/cvss/v4-0/user-guide
|
|
When a maintainer advisory determines a vulnerability as Low severity, the base metrics values need to be configured to result in Low severity using only base metrics values. The CVSS Scores are as follows: CVSS v4.0 Score: 1.2 / Low CVSS v4.0 Score: 5.1 / Medium The GitHub Advisory Database's CVSS v4 display only shows base metrics. 
Additionally, the edit screen for "Suggest improvements for this vulnerability" basically only allows input of base metrics. 
From the above, it can be understood that the GitHub Advisory Database is premised on having only CVSS base metrics registered. There are several vulnerabilities where Environmental Metrics and Threat Metrics have been mistakenly registered.
|
|
@yusuke-koyoshi After thinking about my response a little longer, I think it would be more complete to discuss why I use CVSS threat metrics. GitHub is in an interesting position among CVE Numbering Authorities. In addition to producing CVE data, we consume CVE data and include that data in the GitHub Advisory Database. By that logic, it's appropriate for my colleagues and me to assess threat metrics when determining how severe vulnerabilities that are reviewed for inclusion in the GHAD are. Additionally, aside from the idea of CVE producer vs. CVE consumer -- Threat metrics aren't like environmental metrics, which can vary from consumer to consumer. If a vulnerability has a publicly available proof of concept, or if it has been exploited in the wild, or if exploitation of the vulnerability may be made easier via use of a toolkit, that information is unlikely change from consumer to consumer. Between finding value in the threat metric as someone who consumes CVE data from other CNAs and reasoning that threat metric data is likely to remain stable between consumers, I think it's acceptable for GHSA-g88v-2j67-9rmx to contain threat metric data. What do you think about threat metric information appearing in a GitHub Security Advisory vs. a CVE record? I've thought about changing one aspect of the CVSS, though. What do you think about changing the CVSS to https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U or https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N? Changing
|
I agree with this. Threat metrics are only an evaluation at that point in time.
Since this is not realistic, I believe that Threat metrics should not be included in the CVSS of vulnerability databases. |
|
When you want to include Threat metrics in CVSS, you need to display both CVSS-BT (representing CVSS with Base metrics and Threat metrics) and CVSS-B (representing CVSS with Base metrics only). |
|
Hi @yusuke-koyoshi, thank you for reaching out to share your perspective. While the threat metric is optional, the CVSS standard denotes that it is "highly recommended for more meaningful results," which is our driving reason to include it when applicable. We receive regular updates from various vulnerability data feeds, including directly from the maintainer’s repository GHSA and from the community in this forum, and rely on these feeds to know when an update is required. We have internally noted your feedback about our CVSS display improvements for consideration but are unfortunately unable to promise any timeline for addressing that at this time. We’ve noted the need for this on both repository GHSA and global GHSA displays, and for the "Suggest improvements for this vulnerability" form. Thank you again for sharing this with us! |
Updates
Comments
Threat Metrics should not be included in the CVSS vector string for vulnerabilities.
The trailing slash violates the format of the CVSS vector string.