Skip to content

HSEC-2025-004: add spacecookie library vulnerability #278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

HSEC-2025-004: add spacecookie library vulnerability #278

wants to merge 1 commit into from

Conversation

sternenseemann
Copy link

Advisory

  • It's not duplicated
  • All fields are filled
  • It is validated by hsec-tools

hsec-tools

  • Previous advisories are still valid

@sternenseemann
Copy link
Author

Do we only support a subset of CVSS 3.1? E should be exploit maturity, shouldn't it?

@blackheaven
Copy link
Collaborator

I think @TristanCacqueray did the support, maybe he'll have some insights

@frasertweedale
Copy link
Collaborator

Do we only support a subset of CVSS 3.1? E should be exploit maturity, shouldn't it?

We only support the base scores at this time, not temporal scores.

frasertweedale
frasertweedale requested changes May 4, 2025
View reviewed changes
Copy link
Collaborator

@frasertweedale frasertweedale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for reporting. A few small requests.

advisories/hackage/spacecookie/HSEC-2025-0004.md

[advisory]
id = "HSEC-2025-0004"
cwe = []
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please set cwe = [23].

CWE-23: Relative Path Traversal - https://cwe.mitre.org/data/definitions/23.html

advisories/hackage/spacecookie/HSEC-2025-0004.md
[advisory]
id = "HSEC-2025-0004"
cwe = []
keywords = ["gopher"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add "path-traversal" to the keyword list.

advisories/hackage/spacecookie/HSEC-2025-0004.md

[[affected]]
package = "spacecookie"
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in my other comment, we need to remove the temporal CVSS fields (which our library does not yet support).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blackheaven blackheaven blackheaven approved these changes

@frasertweedale frasertweedale frasertweedale requested changes

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sternenseemann @blackheaven @frasertweedale @mihaimaruseac