[GHSA-vmf9-6pcv-xr87] Username enumeration attack in goauthentik#8720
[GHSA-vmf9-6pcv-xr87] Username enumeration attack in goauthentik#8720emilburzo wants to merge 1 commit into
Conversation
|
Hi there @BeryJu! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull request overview
Corrects the affected product metadata for a goauthentik advisory, but substitutes fabricated npm package names instead of representing the upstream Other ecosystem.
Changes:
- Updates the advisory modification timestamp.
- Replaces both affected package names with nonexistent npm package names.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "@goauthentik/api" | ||
| "name": "@goauthentik/api-doesnotexist" |
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "@goauthentik/api" | ||
| "name": "@goauthentik/api-doesnotexist" |
Updates
Comments
The initial advisory incorrectly listed an npm ecosystem package. It has since been fixed on the repository advisory to
Other.How can we fix this one in the GitHub Advisory Database?
I've changed the package name to an invalid one since I wasn't able to specify
Other, but I'm not sure that's the best way to handle it?