[GHSA-jc38-x7x8-2xc8] PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks#8484
Conversation
|
Hi there @Spomky! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed OSV advisory for GHSA-jc38-x7x8-2xc8 (PHP JWT Framework algorithm confusion via unprotected JOSE headers) to correct vulnerability metadata, particularly affected version ranges and severity information, aligning the record with the intended fix releases.
Changes:
- Corrected the CVSS v4 vector string (removing the previously appended
/E:Pthreat metric from the stored vector). - Replaced an incorrect broad
last_affectedbound with explicitfixedversions across the relevant Packagist packages and release lines. - Updated
database_specific.severityfromHIGHtoCRITICALand bumped themodifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Updates
Comments
Wrong software versions, see GHSA-jc38-x7x8-2xc8 for reference.
Unclear to my why two versions of the same GHSA exists in the first place, these should be in sync