[GHSA-j39c-c8hj-x4j3] Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat#7523
[GHSA-j39c-c8hj-x4j3] Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat#7523hara-satoshi-ymr wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory for GHSA-j39c-c8hj-x4j3 (CVE-2021-25122) to reflect additional affected Maven artifacts.
Changes:
- Updated the advisory
modifiedtimestamp. - Added
org.apache.tomcat:tomcat-coyoteas an affected Maven package across the relevant Tomcat release lines.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "introduced": "10.0.0" | ||
| }, |
There was a problem hiding this comment.
The advisory details state the vulnerable range starts at Tomcat 10.0.0-M1, but this new affected range uses introduced: "10.0.0", which will exclude milestone/pre-release versions from matching. Update the introduced event to include the earliest affected milestone (e.g., 10.0.0-M1) so the range aligns with the described affected versions.
| { | ||
| "introduced": "9.0.0" | ||
| }, |
There was a problem hiding this comment.
This Tomcat 9.x affected range is marked as introduced at 9.0.0, but the advisory text indicates exposure begins with 9.0.0.M1. Using 9.0.0 may miss affected milestone releases; set the introduced version to the earliest affected milestone (e.g., 9.0.0.M1) to match the described range.
Updates
Comments
adding org.apache.tomcat:tomcat-coyote