Hi there @joakime! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Reject.

First, the Eclipse CNA is the one managing this CVE, not Github.
Second, the Jetty 9.x and 10.x and 11.x versions are EOL and have no support anymore, not even vulnerability fixes (noone should be using those versions of Jetty anymore)

Hi @levpachmanov! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

Good morning @levpachmanov and @joakime, and sorry about the confusion! The only change made to the advisory with the merge was adding credit for @levpachmanov, and neither jetty/jetty.project#12200 nor jetty/jetty.project#12201 were incorporated into the list of reference links.

Since the changes suggested by @levpachmanov weren't incorporated into GHSA-g8m5-722r-8whq, I'll start the process of undoing the change that was made, which in this case was just adding a credit.

@joakime I have a question about jetty/jetty.project#11723, which is listed as a reference link in https://nvd.nist.gov/vuln/detail/CVE-2024-8184 and GHSA-g8m5-722r-8whq. Is jetty/jetty.project#11723 still relevant to CVE-2024-8184, or should that reference link be removed as well?

@shelbyc as the github advisory database schema doesn't support the CVE tag unsupported-when-assigned or the newer CVE EOL definitions, we request that the reference links only point to jetty/jetty.project#11723 (which is how we had it defined via the Eclipse CNA group as well). Any other links to other github issues or prs should be removed.

Good morning @levpachmanov and @joakime, and sorry about the confusion! The only change made to the advisory with the merge was adding credit for @levpachmanov,

Also, for the record, this vulnerability was reported to us by @HRsGIT on Apr 4, 2024, and has been so indicated on both the github advisory side and the CVE side.

Assigning credit to @levpachmanov is dubious, what exactly is this user being credited for on this vulnerability?

@joakime the PR was merged in error when it should have been closed. The only change made in the PR merge was to add credit to @levpachmanov. At no point were jetty/jetty.project#12200 or jetty/jetty.project#12201 added to the references. The only PR included as a reference link is jetty/jetty.project#11723.

GHSA-g8m5-722r-8whq has been corrected to remove the erroneous credit, since the suggested links of jetty/jetty.project#12200 and jetty/jetty.project#12201 weren't actually incorporated into the advisory.

Hi @levpachmanov! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!