[GHSA-ghjv-mh6x-7q6h] avo vulnerable to stored cross-site scripting (XSS) in key_value field

[tamaloa]

Updates

• Affected products
• References

Comments
Fix was backported to 2.x in avo-hq/avo#2382 and the security-advisory updated to reflect this: GHSA-ghjv-mh6x-7q6h

[github]

Hi there @Mys7ic and @adrianthedev! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[adrianthedev]

Looks good!

I thought that by editing our advisory it will be in effect for everyone.
I'm not that familiar with advisories it seems.

[advisory-database]

Hi @tamaloa! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

@tamaloa thank you for letting us know about the backported fix to 2.47.0 and @adrianthedev thank you for confirming that 2.47.0 contains a fix!

In addition to updating the advisory, I have also updated the CVE record for CVE-2024-22191. The updated record is now live at https://cveawg.mitre.org/api/cve/CVE-2024-22191, but it may take time for the changes to propagate to https://nvd.nist.gov/vuln/detail/CVE-2024-22191. I also added avo-hq/avo@fc92a05 as a reference link for the advisory and the CVE record.

I thought that by editing our advisory it will be in effect for everyone.

Repository advisories and global advisories have slightly different formatting requirements, and the changes to the repository advisory aren't pushed automatically to allow curators to make changes specific to the needs and requirements of global advisories.

In this case, the vulnerable version ranges (VVRs) in the repository advisory for GHSA-ghjv-mh6x-7q6h are <= 3.2.3 and <= 2.46, but I set a lower bound on <= 3.2.3 in the global advisory for GHSA-ghjv-mh6x-7q6h, changing the VVR to >= 3.0.0.beta1, <= 3.2.3 to avoid the vulnerable version ranges for the 2.x and 3.x branches overlapping. I also made sure that the VVR and fixed version were <= 2.46.0 and 2.47.0, respectively, to correspond to versions that exist on https://rubygems.org/gems/avo/versions.

[adrianthedev]

Thanks for the explanation @shelbyc.