Correction to security advisory (ReDos)

Question

Correction to security advisory (ReDos)

Closed this issue 3 years ago · 4 comments

Can we correct the advisories on normalize-url for ReDos vulnerability CVE-2021-33502, to reflect the updated CVE on NIST? The github and npm advisories state that all versions prior to 4.5.1 are vulnerable, but NIST and the release log say that only 4.3.0 to 4.5.0 should be flagged.

Github Advisory: GHSA-px4h-xg32-q955
NPM Advisory: https://www.npmjs.com/advisories/1755

Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-33502

I don't know if it's a manual process at all. It'd close a lot of vulns for a lot of people if we can get it corrected.

Answer 1 · 2021-06-28T12:28:35.000Z

I just contacted report@snyk.io - let's see if they do update https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539 . CVE on nist.org was already updated: https://nvd.nist.gov/vuln/detail/CVE-2021-33502#VulnChangeHistorySection

Answer 2 · 2021-06-29T07:16:33.000Z

It looks like it has been corrected on the github advisory now. Thanks to everyone involved 🤗

Answer 3 · 2021-06-29T08:10:58.000Z

It looks like, that GitHub picked up the change from nist. I still see the wrong version numbers on snyk.

Answer 4 · 2021-07-05T07:40:47.000Z

Snyk now also displays a corrected version number range - just a little bit different to the NIST and GitHub one.