[GHSA-5mqx-rpxv-mvxj] HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration#6774
Conversation
There was a problem hiding this comment.
Pull request overview
This PR corrects version information in a GitHub Security Advisory for CVE-2024-6717, a path escape vulnerability in HashiCorp Nomad. The update aligns the advisory with the National Vulnerability Database (NVD) data by fixing incorrect version ranges and adding missing affected package entries.
Changes:
- Updated the vulnerability description to clarify affected versions
- Corrected the fixed version from 1.11.1 to 1.6.13 in the first affected package entry
- Added two new affected package entries for fixes in versions 1.7.10 and 1.8.2
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.11.1" | ||
| "fixed": "1.6.13" | ||
| } |
There was a problem hiding this comment.
The version range with 'introduced': '0' and 'fixed': '1.6.13' is misleading because it suggests all versions from 0 to 1.6.13 are affected. According to the description, only versions 1.6.12 up to 1.7.9 and 1.8.1 are affected. The 'introduced' field should specify '1.6.12' instead of '0' to accurately represent the affected version range.
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.7.10" | ||
| } |
There was a problem hiding this comment.
The version range with 'introduced': '0' and 'fixed': '1.7.10' is incorrect. Based on the description stating that versions 1.6.12 up to 1.7.9 are affected, this range should have 'introduced': '1.7.0' (or the appropriate starting version for the 1.7.x series) rather than '0'.
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.8.2" | ||
| } |
There was a problem hiding this comment.
The version range with 'introduced': '0' and 'fixed': '1.8.2' is inaccurate. According to the description, only version 1.8.1 in the 1.8.x series is affected. The 'introduced' field should specify '1.8.1' to correctly represent that only this specific version is vulnerable.
github-actions
bot
changed the base branch from
main
to
dduzgun-security/advisory-improvement-6774
advisory-database
bot
merged commit 41c1f84
into
dduzgun-security/advisory-improvement-6774
|
Hi @dduzgun-security! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
advisory-database
bot
deleted the
dduzgun-security-GHSA-5mqx-rpxv-mvxj
branch
|
I corrected the advisory. |
|
Thanks @JonathanLEvans, appreciate the quick look. |
3 participants
Updates
Comments
Incorrect versions were present, fixing with what is in NVD.