🚀 49,000 Patches !

We’ve updated our dataset (https://huggingface.co/datasets/CIRCL/vulnerability-cwe-patch) of real-world vulnerabilities, now enriched with #CWE identifiers and #patches collected from platforms like GitHub, GitLab, Bitbucket.

This dataset is designed to support the development of tools for vulnerability classification. Dataset features are:

- #CVE / #GHSA ID
- Title of the #vulnerability
- Vulnerability description
- Patches (URL, Commit message, and Base64-encoded unified diff)
- CWE categorization

Are all of the Unreviewed GitHub Security Advisories missing package and version range information? Yikes, that's not a fun data curating problem.

https://github.com/advisories/GHSA-x7h6-xxfr-j6pv

#github #ghsa

Could someone on @github's GHSA team please look at these PRs to remove obvious duplicate advisories? It's been a week now and still waiting.

• https://github.com/github/advisory-database/pull/5622
• https://github.com/github/advisory-database/pull/5624

Also this PR which was closed but removes an advisory that just simply references three other advisories affecting a project's dependency. Last time a checked you are not supposed to issue advisories for other advisories; unless you've vendored the vulnerable code.

• https://github.com/github/advisory-database/pull/5625

#github #ghsa

Anyone at @github's GHSA team care to look into this PR that got closed? I believe I've found an omniauth-saml advisory that simply references three other GHSA advisories that affect one of it's dependencies, ruby-saml. I see no evidence why a separate advisory needs to exist for omniauth-saml, when the security issues exist in ruby-saml, and can easily be upgraded independently of omniauth-saml (ex: gem upgrade ruby-saml / bundle update ruby-saml). This seems like a maintainer created yet another advisory simply to notify their users about other advisories affecting their dependencies, which seems like overkill and creates duplicate security advisory data. I think this GHSA advisory should be withdrawn/removed.
https://github.com/github/advisory-database/pull/5625

#ghsa #omniauth #saml

I'm finally allowed to speak about this nice little DoS vulnerability I found in #starlette (and #FastAPI).

#CVE https://www.cve.org/CVERecord?id=CVE-2024-47874
#GHSA https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw

#infosec #Python

Buckle up everybody, it's another advisory in a popular gem with no patch and slightly inaccurate details. This time affecting all versions of json-jwt:
https://github.com/advisories/GHSA-c8v6-786g-vjx6

The GHSA and NVD entries claim 1.16.3 and below are affected, however the most recent version is 1.16.5, but I reviewed the diffs between the newer versions and don't see significant changes to the logic.

• https://my.diffend.io/gems/json-jwt/1.16.3/1.16.4
• https://my.diffend.io/gems/json-jwt/1.16.4/1.16.5

The original advisory was created 2023-12-22, and 1.16.4 was published 2023-12-27, so that checks out as old information. I really wish someone would double check these advisories before they get added to databases.
#ghsa #rubysec