[GHSA-859w-5945-r5v3] Vite's server.fs.deny bypassed with /. for files under project root #6018
Conversation
|
Hi there @sapphi-red! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
Pull Request Overview
Updates the security advisory GHSA-859w-5945-r5v3 to remove CVSS v4 scoring and change severity classification from MODERATE to CRITICAL for a Vite vulnerability that allows bypassing server.fs.deny restrictions.
- Removes CVSS v4 scoring information from the severity section
- Updates severity classification from MODERATE to CRITICAL
- Updates the modification timestamp
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" | ||
| } | ||
| ], | ||
| "severity": [], |
There was a problem hiding this comment.
The severity array is being emptied while the severity classification is being changed to CRITICAL. This creates an inconsistency where the main severity field indicates CRITICAL but the detailed severity scoring is removed. Consider either maintaining the CVSS v4 scoring with updated values or providing justification for removing the quantitative scoring while escalating the qualitative severity.
| "severity": [], | |
| "severity": [ | |
| { | |
| "type": "CVSS_V4", | |
| "score": 9.8, | |
| "vector": "CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" | |
| } | |
| ], |
Copilot uses AI. Check for mistakes.
Updates
Comments
GitHub