Skip to content

[GHSA-2gxp-6r36-m97r] Corrected severity on advisory #5841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 23, 2025
Merged

[GHSA-2gxp-6r36-m97r] Corrected severity on advisory #5841

merged 2 commits into from
Jul 23, 2025

Conversation

protozeit
Copy link

Corrected severity on advisory so that is it consistent with CVSS 3.1 score and CVE record

Additionally, I would like to point out that the description on the CVE record mentions that the patched version is 5.4.4 when the bug is actually fixed in version 5.4.3 as can be verified below:

@github-actions github-actions bot changed the base branch from main to protozeit/advisory-improvement-5841 July 22, 2025 14:34
@helixplant
Copy link

Hi @protozeit,
Thank you for your patience and your contribution, the CVE record has been updated to reflect the correct vulnerable and patch versions along with the CVSS score.

@advisory-database advisory-database bot merged commit 04a25f7 into github:protozeit/advisory-improvement-5841 Jul 23, 2025
1 check passed
@advisory-database
Copy link
Contributor

Hi @protozeit! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@protozeit protozeit deleted the protozeit-GHSA-2gxp-6r36-m97r branch July 23, 2025 13:53
@protozeit
Copy link
Author

protozeit commented Jul 23, 2025
edited
Loading

Thank you @helixplant.
I think there's been a misunderstanding with the CVE record update for the CVSS. I made this PR in order to remove the CVSS 4.0 score because it was taking precedence over the CVSS 3.1 rating and making the severity go from HIGH to LOW on the advisory. This vulnerability should have HIGH severity in my opinion.

I'm not sure where the CVSS 4.0 score came from as my original vulnerability report only included the CVSS 3.1 score which evaluates the vulnerability as HIGH. Is it possible to delete the CVSS 4.0 score from the CVE record as well?

@protozeit
Copy link
Author

The CVSS 4.0 score is causing inconsistencies across different advisories:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@protozeit @helixplant
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy