[GHSA-653p-vg55-5652] Apache Tomcat Uncontrolled Resource Consumption vulnerability#7771
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates a GitHub-reviewed security advisory for Apache Tomcat by adjusting scoring metadata and affected package coordinates to better reflect the vulnerability impact and scope.
Changes:
- Updated CVSS metadata (removed CVSS v3 entry and adjusted CVSS v4 vector).
- Changed the Maven package coordinate in the affected package list.
- Updated overall advisory severity from LOW to MODERATE and refreshed the modified timestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" | ||
| }, | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The UI does not allow you to change CVSS v3 and CVSS v4 at the same time.
When importing, please import CVSS v3 without deleting it.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat:tomcat-catalina" | ||
| "name": "org.apache.tomcat:tomcat" | ||
| }, |
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
This aligns with the principle that an advisory database should
publish vendor-neutral Base metrics only, and let downstream tooling
overlay environment-specific Threat/Environmental metrics.
|
Please review this PR. |
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
|
Please review this PR. |
61c43f3
into
yusuke-koyoshi/advisory-improvement-7771
|
Hi @yusuke-koyoshi! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
👋 thank you for your contribution! I've updated the affected products to align with the description and removed |
|
@taladrane |
Updates
Comments
#7521
fixes are not accurately incorporated
The "Suggest improvements" UI does not allow editing the Threat metric
E:U. Please remove it manually when applying this proposal so the
final vector contains only Base metrics:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
This aligns with the principle that an advisory database should
publish vendor-neutral Base metrics only, and let downstream tooling
overlay environment-specific Threat/Environmental metrics.