[GHSA-r3hf-q3mf-7h6w] A vulnerability was found in HybridAuth up to 3.12.2....#7219
[GHSA-r3hf-q3mf-7h6w] A vulnerability was found in HybridAuth up to 3.12.2....#7219jontyms wants to merge 1 commit intojontyms/advisory-improvement-7219from
Conversation
github-actions
bot
changed the base branch from
main
to
jontyms/advisory-improvement-7219
There was a problem hiding this comment.
Pull request overview
This PR updates the metadata for GHSA-r3hf-q3mf-7h6w (HybridAuth) to better describe the vulnerability and its impact, including adding package impact information.
Changes:
- Added a human-readable
summary. - Populated
affectedwith a Packagist package and an ecosystem range. - Adjusted a reference type (WEB → PACKAGE) and updated the
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "summary": "Improper SSL Certificate Validation in HybridAuth Curl HTTP Client", | ||
| "details": "A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.", | ||
| "severity": [ | ||
| "severity": [], | ||
| "affected": [ |
There was a problem hiding this comment.
The PR description mentions updating CVSS v3/v4, but this change removes the existing CVSS entries and leaves severity empty. If CVSS vectors are known for this CVE, they should remain here (possibly updated), otherwise the PR description (or the data) should be corrected to avoid losing scoring information for consumers.
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| } | ||
| ] | ||
| } | ||
| ], |
There was a problem hiding this comment.
The affected range is currently unbounded (introduced: "0" with no corresponding fixed or last_affected event). In OSV semantics this indicates that all versions are affected indefinitely, which conflicts with the last_known_affected_version_range and the details saying the issue is only present up to a certain version. Please bound the range by adding an appropriate end event (last_affected or fixed) so automated version matching is accurate.
| } | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "< 3.12.2" |
There was a problem hiding this comment.
database_specific.last_known_affected_version_range is set to < 3.12.2, but the advisory text says "up to 3.12.2" (which typically includes 3.12.2). Please align the version range expression with the described affected versions (e.g., <= 3.12.2 or an equivalent upper bound) so the metadata is internally consistent.
| "last_known_affected_version_range": "< 3.12.2" | |
| "last_known_affected_version_range": "<= 3.12.2" |
Updates
Comments
Added more details