GHSA-9cxr-76pm-j3wf - Seemingly incorrect severity for DOS vulnerability

[ghsa-retrieval]

The vulnerability CVE-2024-53299 in Wicket has the matching entry GHSA-9cxr-76pm-j3wf in the advisory database. The severity according to GitHub's advisory is critical, while the description states that it is only a denial of service vulnerability. While assessments can deviate, a pure DOS vulnerability should at most be a medium severity when using a scoring based on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) or high for CVSS 4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). CISA ADP seems to conclude that exploitation even requires local privileges and thus rates it as a medium as well.

Please consider reviewing the severity and adapting it as necessary.

GitHub advisory entry:

• https://github.com/github/advisory-database/blob/9cf4a53fe0f09a59acea7545490bbb8daa39651c/advisories/github-reviewed/2025/01/GHSA-9cxr-76pm-j3wf/GHSA-9cxr-76pm-j3wf.json

CISA ADP:

• https://github.com/cisagov/vulnrichment/blob/42cedb7dc670da2c5e0cbb8d6cbaeb0e1f6c197c/2024/53xxx/CVE-2024-53299.json

[JonathanLEvans]

Hi @ghsa-retrieval, GHSA-9cxr-76pm-j3wf was originally marked as critical because that was Apache's rating in their advisory. We have since reduced it down to a medium.