Merge pull request #2484 from github/G-Rath-GHSA-c2qf-rxjj-qqgw

github · Jul 10, 2023 · 81f75e1 · 81f75e1
2 parents 32c6ddc + 8d78e4e
commit 81f75e1
Showing 1 changed file with 25 additions and 12 deletions.
diff --git a/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json b/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c2qf-rxjj-qqgw",
-  "modified": "2023-07-10T22:04:25Z",
+  "modified": "2023-07-10T22:04:27Z",
   "published": "2023-06-21T06:30:28Z",
   "aliases": [
     "CVE-2022-25883"
   ],
   "summary": "semver vulnerable to Regular Expression Denial of Service",
-  "details": "Versions of the package semver before 7.5.2 on the 7.x branch as well as before 6.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\n\n\n",
+  "details": "Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\n\n\n",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -20,11 +20,6 @@
         "ecosystem": "npm",
         "name": "semver"
       },
-      "ecosystem_specific": {
-        "affected_functions": [
-          "semver.Range"
-        ]
-      },
       "ranges": [
         {
           "type": "ECOSYSTEM",
@@ -44,10 +39,24 @@
         "ecosystem": "npm",
         "name": "semver"
       },
-      "ecosystem_specific": {
-        "affected_functions": [
-          "semver.Range"
-        ]
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.0.0"
+            },
+            {
+              "fixed": "6.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "semver"
       },
       "ranges": [
         {
@@ -57,7 +66,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "6.3.1"
+              "fixed": "5.7.2"
             }
           ]
         }
@@ -77,6 +86,10 @@
       "type": "WEB",
       "url": "https://github.com/npm/node-semver/pull/585"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/npm/node-semver/pull/593"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"