[GHSA-344f-f5vg-2jfj] Potential remote code execution in Apache Tomcat#7520
[GHSA-344f-f5vg-2jfj] Potential remote code execution in Apache Tomcat#7520aruneko wants to merge 1 commit intoaruneko/advisory-improvement-7520from
Conversation
github-actions
Bot
changed the base branch from
main
to
aruneko/advisory-improvement-7520
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory for CVE-2020-9484 (Apache Tomcat) to reflect additional affected Maven artifacts.
Changes:
- Updates the advisory
modifiedtimestamp. - Adds
org.apache.tomcat.embed:tomcat-embed-coreto theaffectedlist with version ranges for Tomcat 7/8/9/10 lines.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "introduced": "9.0.0" | ||
| }, | ||
| { | ||
| "fixed": "9.0.35" | ||
| } |
There was a problem hiding this comment.
The new affected range for org.apache.tomcat.embed:tomcat-embed-core starts at 9.0.0, but the advisory details (and other Tomcat advisories in this repo) use milestone versions for Tomcat 9 (e.g., 9.0.0.M1). Using introduced: 9.0.0 will exclude affected 9.0.0.M* builds. Consider changing the introduced event to 9.0.0.M1 (to mirror the wording in details: 9.0.0.M1 to 9.0.34).
| "introduced": "8.0.0" | ||
| }, | ||
| { | ||
| "fixed": "8.5.55" | ||
| } |
There was a problem hiding this comment.
This new range mixes Tomcat 8.0 and 8.5 lines: introduced: 8.0.0 with fixed: 8.5.55. That implies versions >= 8.0.0 and < 8.5.55, which is not the intended affected set and conflicts with the details text (8.5.0 to 8.5.54). The introduced version should likely be 8.5.0 (and keep fixed: 8.5.55).
Updates
Comments
fix affected packages depends on patch codes