[GHSA-q66h-m87m-j2q6] Bitcoinrb Vulnerable to Command injection via RPC #7079
Conversation
|
Hi there @azuchi! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
claidlaw-figment/advisory-improvement-7079
|
Hi @claidlaw-figment, thanks for your interest in improving this advisory. As the maintainer of bitcoinrb and the author of this advisory, I'd like to provide some context on why the severity was set to Low. The RPC server in question is part of an experimental SPV node feature that is:
While I agree that command injection is a serious vulnerability class in general, the practical impact here is essentially zero given the above context. Raising Confidentiality, Integrity, and Availability to High based solely on the vulnerability category, without considering the actual deployment context, would misrepresent the real-world risk and could generate unnecessary high-severity alerts for bitcoinrb users via dependency scanning tools. I believe the current severity of Low accurately reflects the actual risk of this vulnerability, and I would prefer it remain unchanged. |
3 participants
Updates
Comments
Updating the CVSS Score for this vulnerability. I will list the updated fields and my rationale.
Attack requirements: The deployment must be using the RPC server, so I have updated this to "Present".
Confidentiality, Integrity, Availability: This is a command injection, so all have been updated to High.