[GHSA-7xrh-hqfc-g7qr] Hostname verification in Apache ZooKeeper ZKTrustManager...#7130
[GHSA-7xrh-hqfc-g7qr] Hostname verification in Apache ZooKeeper ZKTrustManager...#7130kascit wants to merge 1 commit intokascit/advisory-improvement-7130from
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory metadata for Apache ZooKeeper hostname verification bypass to match the upstream Apache advisory.
Changes:
- Added Maven package coordinates and affected version ranges for ZooKeeper 3.8.x and 3.9.x
- Added a clearer advisory summary
- Added an additional CWE classification (CWE-350)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 3.9.4" | ||
| } |
There was a problem hiding this comment.
"last_known_affected_version_range" is expressed as "<= 3.9.4", which can incorrectly exclude patch/qualifier versions that still fall before the fixed release (e.g., "3.9.4.1" or similar Maven-style versions). To avoid under-reporting affected versions, align this with the fixed boundary (e.g., express it as "< 3.9.5").
| } | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 3.8.5" |
There was a problem hiding this comment.
Same issue as above: using "<= 3.8.5" may miss affected patch/qualifier versions that are still prior to the fix. Consider expressing this relative to the fix boundary (e.g., "< 3.8.6") to avoid excluding versions that should be considered affected.
| "last_known_affected_version_range": "<= 3.8.5" | |
| "last_known_affected_version_range": "< 3.8.6" |
Updates
Comments
Adding missing Maven package, version, and CWE metadata based on the official Apache advisory. It confirms org.apache.zookeeper:zookeeper versions 3.8.0-3.8.5 and 3.9.0-3.9.4 are affected, with patches in 3.8.6 and 3.9.5 respectively.