[GHSA-xqrq-4mgf-ff32] Python-Future Module Arbitrary Code Execution via Unintended Import of test.py #6036
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates a security advisory (GHSA-xqrq-4mgf-ff32) for the Python-Future module to reflect broader impact than originally reported. The update corrects the CVSS v4 score and expands the affected versions from a single version (1.0.0) to all versions starting from 0.14.0.
Key changes:
- Updated CVSS v4 score by removing the exploitability metric
- Expanded affected versions from single version to version range starting at 0.14.0
- Updated modification timestamp
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| @@ -11,7 +11,7 @@ | |||
| "severity": [ | |||
| { | |||
| "type": "CVSS_V4", | |||
| "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" | |||
| "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" | |||
There was a problem hiding this comment.
The CVSS v4 score appears to be missing the exploitability metric (E:) that was present in the original score. If the vulnerability has proven exploitability, the E:P (Proof-of-concept) metric should be retained to accurately reflect the threat level.
| "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" | |
| "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
Yep, I did not intend to remove that metric. I don't know why it happened.
github-actions
bot
changed the base branch from
main
to
BarrensZeppelin/advisory-improvement-6036
Updates
Comments
The vulnerability affects more than just the single version in the original report.
I tested the PoC on a number of versions to find the lowest affected version (0.14.0).