Advisory GHSA-g434-3q2j-hj4r lists incorrect fixed version

[M-Aditya-shankar]

I have noticed an issue with the details provided in the advisory GHSA-g434-3q2j-hj4r regarding the fixed version.

The advisory lists 3.1.9 as the version where the issue is fixed. However, the vulnerable function was actually introduced in version 3.1.9 (commit reference).

The actual fix was implemented in version 3.1.10 (fix commit).

Could you please review and update the advisory to reflect the correct information? Thank you.

[JonathanLEvans]

Hi @M-Aditya-shankar, thank you for your contribution.

First, GitHub is not the assigning CNA for this CVE. To ensure all CVE users receive this update, please contact the assigning CNA at https://cveform.mitre.org/.

The source MITRE used to assign the CVE ID appears to be the fix statement in the release notes for 3.1.9. It may be that change also introduced a second vulnerability, which would need to addressed by the MITRE CNA.

Let us know if you need assistance with this!

[M-Aditya-shankar]

@JonathanLEvans I reached out to MITRE regarding CVE-2018-12071-GHSA-g434-3q2j-hj4r (Service Request #1879398), and here’s what they advised:

We would suggest that you reach out to the GitHub Advisory team with your findings regarding CVE-2018-12071. One way might be to click the link near the bottom of the advisory page to suggest an improvement. You can also email them at security-advisories@github.com. Let us know if they make any changes to the advisory based on your findings.

[JonathanLEvans]

Hi @M-Aditya-shankar, I have updated GHSA-g434-3q2j-hj4r. It looks like MITRE forgot to update the description so you may want to contact them again.