-
Notifications
You must be signed in to change notification settings - Fork 554
[GHSA-r3hf-q3mf-7h6w] A vulnerability was found in HybridAuth up to 3.12.2.... #7219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: jontyms/advisory-improvement-7219
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,23 +1,35 @@ | ||||||
| { | ||||||
| "schema_version": "1.4.0", | ||||||
| "id": "GHSA-r3hf-q3mf-7h6w", | ||||||
| "modified": "2026-03-23T15:30:44Z", | ||||||
| "modified": "2026-03-23T15:30:45Z", | ||||||
| "published": "2026-03-23T15:30:44Z", | ||||||
| "aliases": [ | ||||||
| "CVE-2026-4587" | ||||||
| ], | ||||||
| "summary": "Improper SSL Certificate Validation in HybridAuth Curl HTTP Client", | ||||||
| "details": "A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.", | ||||||
| "severity": [ | ||||||
| "severity": [], | ||||||
| "affected": [ | ||||||
| { | ||||||
| "type": "CVSS_V3", | ||||||
| "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" | ||||||
| }, | ||||||
| { | ||||||
| "type": "CVSS_V4", | ||||||
| "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" | ||||||
| "package": { | ||||||
| "ecosystem": "Packagist", | ||||||
| "name": "hybridauth/hybridauth" | ||||||
| }, | ||||||
| "ranges": [ | ||||||
| { | ||||||
| "type": "ECOSYSTEM", | ||||||
| "events": [ | ||||||
| { | ||||||
| "introduced": "0" | ||||||
| } | ||||||
| ] | ||||||
| } | ||||||
| ], | ||||||
|
Comment on lines
+18
to
+27
|
||||||
| "database_specific": { | ||||||
| "last_known_affected_version_range": "< 3.12.2" | ||||||
|
||||||
| "last_known_affected_version_range": "< 3.12.2" | |
| "last_known_affected_version_range": "<= 3.12.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR description mentions updating CVSS v3/v4, but this change removes the existing CVSS entries and leaves
severityempty. If CVSS vectors are known for this CVE, they should remain here (possibly updated), otherwise the PR description (or the data) should be corrected to avoid losing scoring information for consumers.