[GHSA-q3mw-pvr8-9ggc] Apache Tomcat Open Redirect vulnerability#7517
Conversation
github-actions
Bot
changed the base branch from
main
to
hara-satoshi-ymr/advisory-improvement-7517
There was a problem hiding this comment.
Pull request overview
Updates the GHSA-q3mw-pvr8-9ggc advisory to expand the list of affected Maven coordinates for Apache Tomcat’s open redirect vulnerability.
Changes:
- Bumped the advisory
modifiedtimestamp. - Added new
affectedentries fororg.apache.tomcat.embed:tomcat-catalinaacross Tomcat 8.5.x, 9.0.x, 10.1.x, and 11.0.x version ranges.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat.embed:tomcat-catalina" | ||
| }, |
There was a problem hiding this comment.
The Maven coordinate org.apache.tomcat.embed:tomcat-catalina looks inconsistent with the coordinates used elsewhere in this repo: other Tomcat advisories track Catalina as org.apache.tomcat:tomcat-catalina (e.g. advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json:21) and embed artifacts as org.apache.tomcat.embed:tomcat-embed-core / tomcat-embed-*. If the intent is to cover the Catalina JAR, this should likely be org.apache.tomcat:tomcat-catalina (and updated consistently for each new affected entry), otherwise automated matching may never hit this package name.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat.embed:tomcat-catalina" | ||
| }, |
There was a problem hiding this comment.
Same issue as above: this affected entry uses org.apache.tomcat.embed:tomcat-catalina, but Tomcat Catalina is typically tracked as org.apache.tomcat:tomcat-catalina in this repo; please confirm the intended Maven coordinate and update accordingly so the advisory matches real dependencies.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat.embed:tomcat-catalina" | ||
| }, |
There was a problem hiding this comment.
Same issue as above: org.apache.tomcat.embed:tomcat-catalina is inconsistent with other advisories (which use org.apache.tomcat:tomcat-catalina). Please verify the correct Maven coordinate; otherwise this range will not apply to any real package.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat.embed:tomcat-catalina" | ||
| }, |
There was a problem hiding this comment.
Same issue as above: this entry uses the org.apache.tomcat.embed:tomcat-catalina coordinate; please verify and (if needed) change to the coordinate used for Catalina elsewhere in the repo (org.apache.tomcat:tomcat-catalina).
Updates
Comments
adding org.apache.tomcat.embed:tomcat-catalina