Skip to content

[GHSA-653p-vg55-5652] Apache Tomcat Uncontrolled Resource Consumption vulnerability#7771

Merged
advisory-database[bot] merged 1 commit into
yusuke-koyoshi/advisory-improvement-7771from
yusuke-koyoshi-GHSA-653p-vg55-5652
Jul 6, 2026
Merged

[GHSA-653p-vg55-5652] Apache Tomcat Uncontrolled Resource Consumption vulnerability#7771
advisory-database[bot] merged 1 commit into
yusuke-koyoshi/advisory-improvement-7771from
yusuke-koyoshi-GHSA-653p-vg55-5652

Conversation

@yusuke-koyoshi

@yusuke-koyoshi yusuke-koyoshi commented May 21, 2026

Copy link
Copy Markdown

Updates

  • Affected products
  • CVSS v3
  • CVSS v4
  • Severity

Comments
#7521
fixes are not accurately incorporated

The "Suggest improvements" UI does not allow editing the Threat metric
E:U. Please remove it manually when applying this proposal so the
final vector contains only Base metrics:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

This aligns with the principle that an advisory database should
publish vendor-neutral Base metrics only, and let downstream tooling
overlay environment-specific Threat/Environmental metrics.

Copilot AI review requested due to automatic review settings May 21, 2026 05:47
@github-actions github-actions Bot changed the base branch from main to yusuke-koyoshi/advisory-improvement-7771 May 21, 2026 05:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates a GitHub-reviewed security advisory for Apache Tomcat by adjusting scoring metadata and affected package coordinates to better reflect the vulnerability impact and scope.

Changes:

  • Updated CVSS metadata (removed CVSS v3 entry and adjusted CVSS v4 vector).
  • Changed the Maven package coordinate in the affected package list.
  • Updated overall advisory severity from LOW to MODERATE and refreshed the modified timestamp.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 11 to 16
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
}
],

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The UI does not allow you to change CVSS v3 and CVSS v4 at the same time.
When importing, please import CVSS v3 without deleting it.

Comment on lines 76 to 79
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
"name": "org.apache.tomcat:tomcat"
},

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #7521

{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This aligns with the principle that an advisory database should
publish vendor-neutral Base metrics only, and let downstream tooling
overlay environment-specific Threat/Environmental metrics.

@yusuke-koyoshi

Copy link
Copy Markdown
Author

Please review this PR.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label Jul 5, 2026
@yusuke-koyoshi

Copy link
Copy Markdown
Author

Please review this PR.

@advisory-database advisory-database Bot merged commit 61c43f3 into yusuke-koyoshi/advisory-improvement-7771 Jul 6, 2026
4 checks passed
@advisory-database

Copy link
Copy Markdown
Contributor

Hi @yusuke-koyoshi! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database Bot deleted the yusuke-koyoshi-GHSA-653p-vg55-5652 branch July 6, 2026 14:13
@taladrane

Copy link
Copy Markdown
Collaborator

👋 thank you for your contribution! I've updated the affected products to align with the description and removed E:U from the CVSS 4.0 score for this specific advisory (we will still use E across other advisories when there's credible information from sufficiently comprehensive sources, and avoid using E:U to assert claims that are stronger than current evidence supports)

@yusuke-koyoshi

Copy link
Copy Markdown
Author

@taladrane
Thank you for the quick fix!
That said, I'd like to respectfully push back on the policy of keeping E on other advisories: Threat/Environmental metrics should not be included in advisory data, regardless of how credible the source is.
The reason is that Threat metrics are time-varying by definition. The CVSS v4.0 specification states that Threat metrics should reflect current threat intelligence and be re-evaluated as it changes (e.g., E must be raised once a PoC or active exploitation appears). A value that was accurate at publication becomes stale unless someone continuously re-assesses it — and there is no guarantee that the original source will keep maintaining the vulnerability after publication. In practice, most sources never revisit their scores, so a stale E:U/E:P ends up permanently understating (or misstating) severity for downstream consumers.
Since the Advisory Database is a static, point-in-time record, I believe it should publish Base metrics only, and leave Threat/Environmental overlays to downstream tooling that can consume live sources such as EPSS or CISA KEV.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants