Improve GHSA-f73w-4m7g-ch9x

eyurtsev · eyurtsev · commit 6b05d8d2a021 · 2023-10-04T16:53:26.000-04:00
diff --git a/advisories/github-reviewed/2023/09/GHSA-f73w-4m7g-ch9x/GHSA-f73w-4m7g-ch9x.json b/advisories/github-reviewed/2023/09/GHSA-f73w-4m7g-ch9x/GHSA-f73w-4m7g-ch9x.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f73w-4m7g-ch9x",
-  "modified": "2023-09-06T21:21:55Z",
+  "modified": "2023-09-06T21:21:56Z",
   "published": "2023-09-01T18:30:41Z",
   "aliases": [
     "CVE-2023-39631"
   ],
   "summary": "Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library",
-  "details": "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.",
+  "details": "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.\n\nPatches\n\nReleased in v.0.0.308. numexpr dependency is optional for langchain\n",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -20,11 +20,6 @@
         "ecosystem": "PyPI",
         "name": "langchain"
       },
-      "ecosystem_specific": {
-        "affected_functions": [
-          ""
-        ]
-      },
       "ranges": [
         {
           "type": "ECOSYSTEM",
@@ -33,11 +28,14 @@
               "introduced": "0"
             },
             {
-              "last_affected": "0.0.245"
+              "fixed": "0.0.308"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.0.245"
+      }
     }
   ],
   "references": [

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-f73w-4m7g-ch9x",`
`4`		`- "modified": "2023-09-06T21:21:55Z",`
	`4`	`+ "modified": "2023-09-06T21:21:56Z",`
`5`	`5`	`"published": "2023-09-01T18:30:41Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2023-39631"`
`8`	`8`	`],`
`9`	`9`	`"summary": "Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library",`
`10`		`- "details": "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.",`
	`10`	`+ "details": "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.\n\nPatches\n\nReleased in v.0.0.308. numexpr dependency is optional for langchain\n",`
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V3",`
`@@ -20,11 +20,6 @@`
`20`	`20`	`"ecosystem": "PyPI",`
`21`	`21`	`"name": "langchain"`
`22`	`22`	`},`
`23`		`- "ecosystem_specific": {`
`24`		`- "affected_functions": [`
`25`		`- ""`
`26`		`- ]`
`27`		`- },`
`28`	`23`	`"ranges": [`
`29`	`24`	`{`
`30`	`25`	`"type": "ECOSYSTEM",`
`@@ -33,11 +28,14 @@`
`33`	`28`	`"introduced": "0"`
`34`	`29`	`},`
`35`	`30`	`{`
`36`		`- "last_affected": "0.0.245"`
	`31`	`+ "fixed": "0.0.308"`
`37`	`32`	`}`
`38`	`33`	`]`
`39`	`34`	`}`
`40`		`- ]`
	`35`	`+ ],`
	`36`	`+ "database_specific": {`
	`37`	`+ "last_known_affected_version_range": "<= 0.0.245"`
	`38`	`+ }`
`41`	`39`	`}`
`42`	`40`	`],`
`43`	`41`	`"references": [`