[GHSA-9pgh-qqpf-7wqj] Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

[bchew]

Updates

• Affected products

Comments
Maintainer has merged xmldom/xmldom#441 which backports the fix to 0.7.x branch and released as 0.7.6.

Updated changelog: https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md#076

Hopefully this would resolve the dependabot alert generated for this to allow for 0.7.6 to be considered as a fixed version as well, thanks.

[github]

Hi there @karfau! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[karfau]

I'm not sure the claim is correct.
Would the update still make clear that the following version range is still affected: >=0.8.0 && <0.8.3?

[github]

Hi there @karfau! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[bchew]

@karfau I've fixed it now and have updated the summary details as well

[karfau]

Thx a lot. Looks good to me. But I'm not familiar with the syntax of the json file.

PS I was not even aware that there is a global version of the advisory, which needs to be maintained separately when making changes to our advisory.

[advisory-database]

Hi @bchew! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[karfau]

I thought about it a bit more and updated the fields with valid semver ranges:

Patched versions: ~0.7.6 || ~0.8.3 || >=0.9.0-beta.2
Affected versions: <0.7.6 || 0.8.0 || 0.8.1 || 0.8.2 || 0.9.0-beta.1.

I tested both ranges with https://semver.npmjs.com/

I also updated the advisory description to reflect the fix for 0.7.6.

[karfau]

@bchew should I file another PR to update the description and also the CVSS vector and base score, which I took from https://nvd.nist.gov/vuln/detail/CVE-2022-37616.

[bchew]

@karfau thanks for getting the change in, the dependabot alert has been resolved for us with the upgrade to 0.7.6 🙂

This actually started when I used the Suggest improvements for this vulnerability link at GHSA-9pgh-qqpf-7wqj - which then automatically created this PR, this whole workflow is new to me as I have not done this before 😄

Did some brief digging and It looks like there is some syncing which happens between the repository advisory and the global one? https://github.com/github/advisory-database/commits/main/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json So I am unsure if you would need another PR if you have already updated it in the repository..

Appreciate your efforts in maintaining xmldom! 🙂