New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-9pgh-qqpf-7wqj] Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom #808
Conversation
Hi there @karfau! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
Hi @karfau, I saw your contribution here as well as in #809. The system for publishing GitHub Security Advisories on the global database doesn't allow version ranges (e.g. The free-form descriptions for the global advisories list the patched version ranges for GHSA-9pgh-qqpf-7wqj and GHSA-crh6-fp67-6883. We just can't put them in the |
Hi there @karfau! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
@shelbyc Thx for letting me know. In that case I guess we can close this PR as unmerged. |
Ah no, it actually merged my more recent changes into the same PR, so this should still land, even without the updated ranges. I updated the PR description. |
@karfau I just saw your more recent commit as well as the conversation at xmldom/xmldom#436. We can withdraw the global GitHub Security Advisory if a vulnerability is invalid. GHSA-rwqr-c348-m5wr is an example of an advisory withdrawn because of concerns about validity, and a withdrawn advisory for GHSA-9pgh-qqpf-7wqj would look similar. CVE-2022-37616 was assigned through MITRE, not GitHub, so anything related to the CVE will need to go through MITRE. MITRE has a web form (https://cveform.mitre.org/) for CVE requests, including requesting updates to CVE entries. |
Thank you again for helping me to understand what I need to do. |
Hi @karfau! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Multiple people have reported that they have tried to create an exploit and have not been able to, so they suggest to mark it as invalid.
The person that initially reported it was not responding o far and seems to have reported plenty of similar false reports.
xmldom/xmldom#436 (comment)
xmldom/xmldom#436 (comment)
xmldom/xmldom#436 (comment)