Affected versions of CVE-2024-36811

danielsiepmann · Post by **danielsiepmann** » 20 Jun 2024, 06:20

Hey,

we saw that CVE-2024-36811 has two different info regarding the affected versions.
https://github.com/advisories/GHSA-cr7j-rwmv-vgch states: Affected versions < 2024.04.5,
https://github.com/ssshah2131/CVE/blob/main/Aimeos_RCE states: aimeos-core version < 2024.04.5 as well as Vulnerable Versions: >= 2024.04.1, < 2024.04.5.

Can you tell us which of those two info is correct? And maybe streamline the info? Right now the GitHub advisory is triggering a composer audit for packages < 2024.04.5.

Post by **aimeos** » 20 Jun 2024, 07:03

danielsiepmann wrote: ↑20 Jun 2024, 06:20 we saw that CVE-2024-36811 has two different info regarding the affected versions.
https://github.com/advisories/GHSA-cr7j-rwmv-vgch states: Affected versions < 2024.04.5,
https://github.com/ssshah2131/CVE/blob/main/Aimeos_RCE states: aimeos-core version < 2024.04.5 as well as Vulnerable Versions: >= 2024.04.1, < 2024.04.5.

Can you tell us which of those two info is correct? And maybe streamline the info? Right now the GitHub advisory is triggering a composer audit for packages < 2024.04.5.

Only 2024.04.1 to 2024.04.4 are affected. The Github notice was created by a security scanner which added the vulnerability via MITRE to the CVE database but with wrong versions and Github used that for creating a security advisory automatically. We've already submitted a change request and hope it will get fixed soon.

danielsiepmann · Post by **danielsiepmann** » 20 Jun 2024, 07:33

Thanks for clarification and for taking care this will be fixed on GitHubs end.

Help for Aimeos