Advisory GHSA-g434-3q2j-hj4r lists incorrect fixed version

[M-Aditya-shankar]

I have noticed an issue with the details provided in the advisory GHSA-g434-3q2j-hj4r regarding the fixed version.

The advisory lists 3.1.9 as the version where the issue is fixed. However, the vulnerable function was actually introduced in version 3.1.9 (commit reference).

The actual fix was implemented in version 3.1.10 (fix commit).

Could you please review and update the advisory to reflect the correct information? Thank you.

[JonathanLEvans]

Hi @M-Aditya-shankar, thank you for your contribution.

First, GitHub is not the assigning CNA for this CVE. To ensure all CVE users receive this update, please contact the assigning CNA at https://cveform.mitre.org/.

The source MITRE used to assign the CVE ID appears to be the fix statement in the release notes for 3.1.9. It may be that change also introduced a second vulnerability, which would need to addressed by the MITRE CNA.

Let us know if you need assistance with this!