advisory-database
advisory-database copied to clipboard
github
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
**Updates** - Affected products - Summary **Comments** Fix
**Updates** - References **Comments** Added link for commit updating tomcat with new fileupload
The current [README](https://github.com/github/advisory-database?tab=readme-ov-file#supported-ecosystems) is confusing in particular the list of supported ecosystems. We got the following [comment](https://github.com/github/advisory-database/pull/5761#issuecomment-3010809930) on a PR mentioning that Go Std lib vulnerabilities are not part of...
**Updates** - Description **Comments** https://ensy.zip/posts/dompurify-323-bypass/ clearly points out in the title that only the template configuration option is affected. This is an important information as that option is discouraged and...
**Updates** - Affected products - References **Comments** The vulnerability involves both spring-security-aspects and spring-security-core. spring-security-aspects artifact is right to be flagged because the issue is only exploitable when that module...
Hello team, I noticed that [GHSA-gpqc-4pp7-5954](https://github.com/advisories/GHSA-gpqc-4pp7-5954) appears to be identical to [GHSA-26xx-m4q2-xhq8](https://github.com/advisories/GHSA-26xx-m4q2-xhq8). The key difference is that GHSA-26xx-m4q2-xhq8 has been assigned a CVE identifier (CVE-2021-41275) and also includes a broader...
## Description Hello! Thanks for your work! I found 1 confusing case: https://github.com/advisories/GHSA-h4j7-5rxr-p4wc advisory contains `affected[].ranges[].events` + `affectedversions-field`: ``` { "package": { "ecosystem": "NuGet", "name": "Microsoft.Build.Tasks.Core" }, "ranges": [ {...
**Updates** - Affected products - Summary **Comments** From any individual advisory on github.com/advisories, click Suggest improvements for this vulnerability (shown below) to open an "Improve security advisory" form. Edit the...
Hello, We’ve noticed that three of our project libraries have been flagged under CWE-506: Embedded Malicious Code in the GitHub security advisories. After reviewing the codebase and package history, we...
To publish advisories with packages regarding hex.pm, currently the ecosystem has to be set to "Erlang". Since hex.pm is for Erlang, Elixir, Gleam and more, this is confusing. Additionally, the...
