Closed
Description
This appeared in the CVE additional information here GHSA-wfm5-v35h-vwf4.
I found it reported already. I am reporting it here just in case.
Metadata
Metadata
Assignees
Type
Projects
Relationships
Participants
{{ message }}
No one assigned
No type
No projects
None yet
Activity
[-]CVE-2023-40267: Remote Code Execution (RCE) [/-][+]CVE-2023-40590: Remote Code Execution (RCE) [/+][-]CVE-2023-40590: Remote Code Execution (RCE) [/-][+]CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution [/+]Byron commentedon Aug 30, 2023
Thanks. This advisory originated in this repository and is thus known: GHSA-wfm5-v35h-vwf4 .
However, it seems hard to communicate using an advisory, so we can keep this issue open to collect comments.
ignore CVE that is not yet fixed in the package
stsewd commentedon Aug 30, 2023
BTW, there is another vulnerability that was reported, that is also pending a fix GHSA-cwvm-v4w8-q58c. Looks like a CVE wasn't requested for that one.
Byron commentedon Aug 30, 2023
I thought for something less critical, it wouldn't be worth a whole CVE entry.
As collaborator (and author) of the GHSA, are you able to request a CVE? If so, please go ahead if you think there should be one. Otherwise I will do it as per your request. Thanks.
stsewd commentedon Aug 30, 2023
@Byron only maintainers can request CVEs. If this was intentional, I don't mind having no CVE for that advisory 👍, I was suggesting it since it looks like people are more pending on CVEs than plain advisories (or that seems to me). We could also create a new issue linking to the advisory, so people are more aware of it.
Byron commentedon Aug 30, 2023
I am happy to follow your advise and requested a CVE. It should increase visibility and with that, the chance for a fix.
5 remaining items