[GHSA-653p-vg55-5652] Apache Tomcat Uncontrolled Resource Consumption vulnerability#7771
Conversation
github-actions
Bot
changed the base branch from
main
to
yusuke-koyoshi/advisory-improvement-7771
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates a GitHub-reviewed security advisory for Apache Tomcat by adjusting scoring metadata and affected package coordinates to better reflect the vulnerability impact and scope.
Changes:
- Updated CVSS metadata (removed CVSS v3 entry and adjusted CVSS v4 vector).
- Changed the Maven package coordinate in the affected package list.
- Updated overall advisory severity from LOW to MODERATE and refreshed the modified timestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" | ||
| }, | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The UI does not allow you to change CVSS v3 and CVSS v4 at the same time.
When importing, please import CVSS v3 without deleting it.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat:tomcat-catalina" | ||
| "name": "org.apache.tomcat:tomcat" | ||
| }, |
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
This aligns with the principle that an advisory database should
publish vendor-neutral Base metrics only, and let downstream tooling
overlay environment-specific Threat/Environmental metrics.
Updates
Comments
#7521
fixes are not accurately incorporated
The "Suggest improvements" UI does not allow editing the Threat metric
E:U. Please remove it manually when applying this proposal so the
final vector contains only Base metrics:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
This aligns with the principle that an advisory database should
publish vendor-neutral Base metrics only, and let downstream tooling
overlay environment-specific Threat/Environmental metrics.