Merge pull request #808 from github/karfau-GHSA-9pgh-qqpf-7wqj

github · Nov 8, 2022 · 6bef157 · 6bef157
2 parents 9214bd2 + dde4f6f
commit 6bef157
Showing 1 changed file with 15 additions and 18 deletions.
diff --git a/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json b/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json
@@ -1,34 +1,31 @@
 {
   "schema_version": "1.3.0",
   "id": "GHSA-9pgh-qqpf-7wqj",
-  "modified": "2022-10-18T21:46:48Z",
+  "modified": "2022-11-08T18:05:14Z",
   "published": "2022-10-11T20:42:57Z",
   "aliases": [
     "CVE-2022-37616"
   ],
   "summary": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom",
-  "details": "### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n\n### References\nhttps://github.com/xmldom/xmldom/pull/437\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n* Add information to https://github.com/xmldom/xmldom/issues/436\n",
+  "details": "### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n**Please be aware that every attempt to provide an exploit, was not able to and we are in the process of marking this report as invalid.**\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n\n### References\nhttps://github.com/xmldom/xmldom/pull/437\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n* Add information to https://github.com/xmldom/xmldom/issues/436\n",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-    }
+
   ],
   "affected": [
     {
       "package": {
         "ecosystem": "npm",
-        "name": "@xmldom/xmldom"
+        "name": "xmldom"
       },
       "ranges": [
         {
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0.8.0"
+              "introduced": "0"
             },
             {
-              "fixed": "0.8.3"
+              "last_affected": "0.6.0"
             }
           ]
         }
@@ -37,20 +34,23 @@
     {
       "package": {
         "ecosystem": "npm",
-        "name": "xmldom"
+        "name": "@xmldom/xmldom"
       },
       "ranges": [
         {
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "0.9.0-beta.1"
             },
             {
-              "last_affected": "0.6.0"
+              "fixed": "0.9.0-beta.2"
             }
           ]
         }
+      ],
+      "versions": [
+        "0.9.0-beta.1"
       ]
     },
     {
@@ -63,16 +63,13 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0.9.0-beta.1"
+              "introduced": "0.8.0"
             },
             {
-              "fixed": "0.9.0-beta.2"
+              "fixed": "0.8.3"
             }
           ]
         }
-      ],
-      "versions": [
-        "0.9.0-beta.1"
       ]
     },
     {
@@ -137,7 +134,7 @@
     "cwe_ids": [
       "CWE-1321"
     ],
-    "severity": "CRITICAL",
+    "severity": "LOW",
     "github_reviewed": true
   }
 }