[GHSA-9pgh-qqpf-7wqj] Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

[karfau]

Updates

• Affected products

Comments
Multiple people have reported that they have tried to create an exploit and have not been able to, so they suggest to mark it as invalid.
The person that initially reported it was not responding o far and seems to have reported plenty of similar false reports.
xmldom/xmldom#436 (comment)
xmldom/xmldom#436 (comment)
xmldom/xmldom#436 (comment)

[github]

Hi there @karfau! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[shelbyc]

Hi @karfau, I saw your contribution here as well as in #809. The system for publishing GitHub Security Advisories on the global database doesn't allow version ranges (e.g. >= or ~) in patched version values, only numbers and certain characters (., -) often used to separate parts of version numbers. If someone tries to include >= or ~ in a patched version, we get an error message and can't publish the update.

The free-form descriptions for the global advisories list the patched version ranges for GHSA-9pgh-qqpf-7wqj and GHSA-crh6-fp67-6883. We just can't put them in the Patched versions section.

[github]

Hi there @karfau! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[karfau]

@shelbyc Thx for letting me know.
I'm assuming that tools like dependabot just assume that any higher patch verison is also fixed?

In that case I guess we can close this PR as unmerged.

[karfau]

Ah no, it actually merged my more recent changes into the same PR, so this should still land, even without the updated ranges. I updated the PR description.
(A request to reject the advisory/CVE has been sent via email)

[shelbyc]

@karfau I just saw your more recent commit as well as the conversation at xmldom/xmldom#436. We can withdraw the global GitHub Security Advisory if a vulnerability is invalid. GHSA-rwqr-c348-m5wr is an example of an advisory withdrawn because of concerns about validity, and a withdrawn advisory for GHSA-9pgh-qqpf-7wqj would look similar.

CVE-2022-37616 was assigned through MITRE, not GitHub, so anything related to the CVE will need to go through MITRE. MITRE has a web form (https://cveform.mitre.org/) for CVE requests, including requesting updates to CVE entries. Rejection is one of the reasons for requesting a CVE update.

[karfau]

Thank you again for helping me to understand what I need to do.
I filed the request for rejection in the webform.
I have also already send a mail to security-advisories@github.com to request to reject the CVE, which I hope will be understood as meaning a withdrawal.

[advisory-database]

Hi @karfau! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!