[GHSA-7jqf-v358-p8g7] Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability#7671
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the GHSA record for CVE-2024-38286 (Apache Tomcat resource exhaustion via TLS handshake) to refine impacted Maven artifacts/versions and adjust severity metadata.
Changes:
- Updates the
affectedpackage entries to useorg.apache.tomcat:tomcatacross multiple version trains (including EOL-only “last_affected” ranges). - Expands affected artifacts by adding
org.apache.tomcat:tomcat-coyoteranges alongsideorg.apache.tomcat:tomcat. - Adjusts the
severitysection (currently leaving only CVSS v4) and bumps themodifiedtimestamp.
Comments suppressed due to low confidence (1)
advisories/github-reviewed/2024/11/GHSA-7jqf-v358-p8g7/GHSA-7jqf-v358-p8g7.json:16
- The PR description says "CVSS v3" is being updated, but the
CVSS_V3entry was removed from theseverityarray and onlyCVSS_V4remains. If a v3 score is still available for this GHSA/CVE, it should be retained/updated here (many advisories include both v3 and v4); otherwise, please update the PR description to reflect that v3 was intentionally removed.
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H"
}
],
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
|
Friendly bump to avoid auto-close. Could a maintainer take a look when you have a chance? |
6530b58
into
hara-satoshi-ymr/advisory-improvement-7671
|
Hi @hara-satoshi-ymr! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
improve affected pacakges