diff --git a/advisories/unreviewed/2022/05/GHSA-rrg6-wpjx-p5jf/GHSA-rrg6-wpjx-p5jf.json b/advisories/unreviewed/2022/05/GHSA-rrg6-wpjx-p5jf/GHSA-rrg6-wpjx-p5jf.json index 7d3cbd42353dc..fca2f6ac2244a 100644 --- a/advisories/unreviewed/2022/05/GHSA-rrg6-wpjx-p5jf/GHSA-rrg6-wpjx-p5jf.json +++ b/advisories/unreviewed/2022/05/GHSA-rrg6-wpjx-p5jf/GHSA-rrg6-wpjx-p5jf.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-rrg6-wpjx-p5jf", - "modified": "2022-05-13T01:38:39Z", + "modified": "2023-02-01T05:08:58Z", "published": "2022-05-13T01:38:39Z", "aliases": [ "CVE-2016-8620" ], + "summary": "curl tool glob parser write/read out of bounds", "details": "The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.", "severity": [ { @@ -13,12 +14,39 @@ "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "GitHub Actions", + "name": "curl" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.34.0" + }, + { + "fixed": "7.51.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 7.50.3" + } + } + ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8620" }, + { + "type": "WEB", + "url": "https://github.com/curl/curl/commit/fbb5f1aa0326d485d5a7ac643" + }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3558" @@ -31,6 +59,14 @@ "type": "WEB", "url": "https://curl.haxx.se/docs/adv_20161102F.html" }, + { + "type": "WEB", + "url": "https://curl.se/docs/CVE-2016-8620.html" + }, + { + "type": "PACKAGE", + "url": "https://github.com/curl/curl" + }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/201701-47" @@ -54,6 +90,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-122", "CWE-125" ], "severity": "CRITICAL",