[GHSA-25c8-p796-jg6r] Microsoft Security Advisory CVE-2023-33170: .NET Security Feature Bypass Vulnerability #2496
Conversation
|
Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
DmitriyLewen/advisory-improvement-2496
|
The advisory lists |
|
Hi @rbhanda, There appears to be a difference in what's listed in the vulnerable version ranges (VVRs) at the top of the advisory and what's listed in the description of the advisory. If a vulnerable version range appears in the description but not the VVRs, alerts won't go out. There is a difference between the VVRs in the repository advisory and the global advisory based on the evidence GitHub was able to find. The global advisory does not list the following packages and affected versions in the vulnerable version ranges but does list them in the description of the advisory. @DmitriyLewen suggests including them, and accepting the contribution would change the contents of the global advisory.
The repository advisory does not list the following packages and affected versions in the vulnerable version ranges but does list them in the description of the advisory. Any changes made to the global advisory as a result of the contribution would not affect the repository advisory.
If it is appropriate to add 6.0.20 as a fixed version for Microsoft.AspNetCore.App.Runtime.linux-musl-x64 and Microsoft.AspNetCore.App.Runtime.osx-arm64, we can add them to the global advisory. Making the change to the global advisory would not mean the repository advisory receives the same change. When reviewing Microsoft.AspNet.Identity.Owin in NuGet, I noticed that the highest available version is 2.2.4 and there is no 7.x branch, which I why I excluded |
|
Yes, lets add these to the global advisory.
I have updated the repository advisory and removed 7.0.9 for the Microsoft.AspNet.Identity.Owin package. |
|
@shelbyc thanks a lot for your reply and clarification!
Cool!
@rbhanda I need to remove |
|
@DmitriyLewen there is no need to change the PR! I can avoid including |
advisory-database
bot
merged commit 64e1df1
into
DmitriyLewen/advisory-improvement-2496
|
Hi @DmitriyLewen! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
@rbhanda Thank you for the clarification! The global advisory is now updated. |
Updates
Comments
The description contains more affected packages than are contained in
Affected products.Add missing packages.