vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Invalid data from GitLab

Open pombredanne opened this issue 4 months ago • 1 comments

See https://public2.vulnerablecode.io/packages/v2/pkg:pypi/[email protected]?search=pkg:pypi/[email protected]

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aamiles/CVE-2022-33001.yml is incorrect. After detailed investigation, the fixed version is wrong there.

pombredanne avatar Aug 12 '25 15:08 pombredanne

Incorrect Fixed Version in CVE-2022-33001 Advisory

The fixed version listed in the GitLab advisory for CVE-2022-33001 is incorrect.

Issue

After detailed investigation, I've determined that the fixed version specified in the advisory does not actually resolve the vulnerability.

Analysis

The malicious backdoor was introduced in version 0.1.0 through a dependency on the malicious request package (as documented in #1). Release timeline:

0.1.0 (May 17, 2020) - Vulnerable ❌ 0.1.1 (May 18, 2020) - Still vulnerable ❌ 0.1.2 (May 18, 2020) - Potentially fixed ✓

Version 0.1.1 does not properly remove the malicious dependency and should not be listed as the fixed version in the advisory.

Recommendation

The GitLab advisory should be updated to reflect the correct fixed version to ensure users are properly protected from this supply chain attack.

References

  • Original vulnerability report: https://github.com/bOrionis/AAmiles/issues/1
  • CVE-2022-33001: https://nvd.nist.gov/vuln/detail/CVE-2022-33001

karthiknew07 avatar Oct 30 '25 06:10 karthiknew07