Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-qphf-w3cq-jpmx] IPAddress Infinite Loop vulnerability #3279

Merged
merged 1 commit into from
Jan 12, 2024
Merged

[GHSA-qphf-w3cq-jpmx] IPAddress Infinite Loop vulnerability #3279

merged 1 commit into from
Jan 12, 2024

Conversation

mike-jumper
Copy link

Updates

  • Affected products
  • CVSS
  • Severity

Comments
This shouldn't be flagged as a vulnerability at all. Per seancfoley/IPAddress#118 (comment), an infinite loop case exists only for cases that the developer supplies invalid arguments. There is no security model being violated here, and no implicit requirement that all functions must halt for contrived inputs.

@github-actions github-actions bot changed the base branch from main to mike-jumper/advisory-improvement-3279 January 11, 2024 00:23
@darakian
Copy link
Contributor

Ohhh, ya that does look like it shouldn't have been assigned. We can go ahead and withdraw this instead if you think that's more appropriate. If so, I would also like to ask that someone involved with the project reach out to mitre to get the CVE rejected as well
https://cveform.mitre.org/

@mike-jumper mike-jumper mentioned this pull request Jan 11, 2024
Closed
@seancfoley
Copy link

@darakian I am the project manager of the IPAddress library, and the repository owner, and I have submitted a rejection request to the address you provided. Thanks for the suggestion.

@mike-jumper

@seancfoley
Copy link

Mitre has acknowledged the request, CVE Request 1586075

@darakian
Copy link
Contributor

Awesome. I'll put this through for withdrawal in our system. The Advisory will still be visible but all dependabot alerts will halt 👍

@advisory-database advisory-database bot merged commit f03a585 into mike-jumper/advisory-improvement-3279 Jan 12, 2024
2 checks passed
@advisory-database advisory-database bot deleted the mike-jumper-GHSA-qphf-w3cq-jpmx branch January 12, 2024 17:47
@advisory-database
Copy link
Contributor

Hi @mike-jumper! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@riysaxen-amzn riysaxen-amzn mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mike-jumper @darakian @seancfoley