From c75eb4779828cb16ccd3aeec6a4f535161a96d33 Mon Sep 17 00:00:00 2001 From: Christian Bewernitz Date: Tue, 8 Nov 2022 18:16:34 +0100 Subject: [PATCH 1/2] Improve GHSA-9pgh-qqpf-7wqj --- .../GHSA-9pgh-qqpf-7wqj.json | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json b/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json index 593918eeced8..4836b150313e 100644 --- a/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json +++ b/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json @@ -1,7 +1,7 @@ { "schema_version": "1.3.0", "id": "GHSA-9pgh-qqpf-7wqj", - "modified": "2022-10-18T21:46:48Z", + "modified": "2022-11-08T17:16:33Z", "published": "2022-10-11T20:42:57Z", "aliases": [ "CVE-2022-37616" @@ -18,17 +18,17 @@ { "package": { "ecosystem": "npm", - "name": "@xmldom/xmldom" + "name": "xmldom" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0.8.0" + "introduced": "0" }, { - "fixed": "0.8.3" + "last_affected": "0.6.0" } ] } @@ -37,20 +37,23 @@ { "package": { "ecosystem": "npm", - "name": "xmldom" + "name": "@xmldom/xmldom" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "0.9.0-beta.1" }, { - "last_affected": "0.6.0" + "fixed": ">=0.9.0-beta.2" } ] } + ], + "versions": [ + "0.9.0-beta.1" ] }, { @@ -63,17 +66,17 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0.9.0-beta.1" + "introduced": "0.8.0" }, { - "fixed": "0.9.0-beta.2" + "fixed": "~0.8.3" } ] } ], - "versions": [ - "0.9.0-beta.1" - ] + "database_specific": { + "last_known_affected_version_range": "< 0.8.3" + } }, { "package": { @@ -88,11 +91,14 @@ "introduced": "0" }, { - "fixed": "0.7.6" + "fixed": "~0.7.6" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "< 0.7.6" + } } ], "references": [ From dde4f6fd91f58d754a57eb1aa0700c4ef58e4caa Mon Sep 17 00:00:00 2001 From: Christian Bewernitz Date: Tue, 8 Nov 2022 19:05:14 +0100 Subject: [PATCH 2/2] Improve GHSA-9pgh-qqpf-7wqj --- .../GHSA-9pgh-qqpf-7wqj.json | 27 +++++++------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json b/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json index 4836b150313e..51281410f084 100644 --- a/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json +++ b/advisories/github-reviewed/2022/10/GHSA-9pgh-qqpf-7wqj/GHSA-9pgh-qqpf-7wqj.json @@ -1,18 +1,15 @@ { "schema_version": "1.3.0", "id": "GHSA-9pgh-qqpf-7wqj", - "modified": "2022-11-08T17:16:33Z", + "modified": "2022-11-08T18:05:14Z", "published": "2022-10-11T20:42:57Z", "aliases": [ "CVE-2022-37616" ], "summary": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom", - "details": "### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n\n### References\nhttps://github.com/xmldom/xmldom/pull/437\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n* Add information to https://github.com/xmldom/xmldom/issues/436\n", + "details": "### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n**Please be aware that every attempt to provide an exploit, was not able to and we are in the process of marking this report as invalid.**\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n\n### References\nhttps://github.com/xmldom/xmldom/pull/437\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n* Add information to https://github.com/xmldom/xmldom/issues/436\n", "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } + ], "affected": [ { @@ -47,7 +44,7 @@ "introduced": "0.9.0-beta.1" }, { - "fixed": ">=0.9.0-beta.2" + "fixed": "0.9.0-beta.2" } ] } @@ -69,14 +66,11 @@ "introduced": "0.8.0" }, { - "fixed": "~0.8.3" + "fixed": "0.8.3" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "< 0.8.3" - } + ] }, { "package": { @@ -91,14 +85,11 @@ "introduced": "0" }, { - "fixed": "~0.7.6" + "fixed": "0.7.6" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "< 0.7.6" - } + ] } ], "references": [ @@ -143,7 +134,7 @@ "cwe_ids": [ "CWE-1321" ], - "severity": "CRITICAL", + "severity": "LOW", "github_reviewed": true } } \ No newline at end of file