[GHSA-m425-mq94-257g] gRPC-Go HTTP/2 Rapid Reset vulnerability

[neilcar]

Updates

• Affected products

Comments
CVE is CVE-2023-44487. CVE field is missing from this form to submit improvements.

[github]

Hi there @dfawley! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[dfawley]

@neilcar I'm not sure what to do with this. It doesn't appear to change anything and the checker failed (Processing advisory improvement — Could not process advisory improvement)

[neilcar]

@dfawley The problem is that the field that needs updating isn't an option on the form for proposing an update (or I'm missing it).

The "CVE ID" field here is null but, based on the links, there's a CVE ID for this one. How do I propose a change to fill in the proper CVE ID?

[dfawley]

I'm not sure, but the security advisory in our repo shows the CVE ID linked correctly:

GHSA-m425-mq94-257g

[darakian]

Apologies about that but we have that CVE id linked over here
GHSA-qppj-fm5r-hxr3
Our system only allows for one GHSA to have any given CVE hence why
GHSA-m425-mq94-257g
shows up without the CVE linked.

[neilcar]

@darakian Is there a discussion of this (only one GHSA can be linked to a CVE) anywhere? This seems deeply problematic for anybody who is parsing this data.

[darakian]

We certainly do discuss it internally, but it's not an easy thing to "fix". There's more public discussion of it over here
#2869
which links out to other PRs like this one.

From a parsing perspective it's probably better to key off affected artifacts rather than CVE ids