[GHSA-7jqf-v358-p8g7] Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability

[hara-satoshi-ymr]

Updates

• Affected products
• CVSS v3

Comments
improve affected pacakges

[Copilot]

Pull request overview

Updates the GHSA record for CVE-2024-38286 (Apache Tomcat resource exhaustion via TLS handshake) to refine impacted Maven artifacts/versions and adjust severity metadata.

Changes:

• Updates the affected package entries to use org.apache.tomcat:tomcat across multiple version trains (including EOL-only “last_affected” ranges).
• Expands affected artifacts by adding org.apache.tomcat:tomcat-coyote ranges alongside org.apache.tomcat:tomcat.
• Adjusts the severity section (currently leaving only CVSS v4) and bumps the modified timestamp.

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2024/11/GHSA-7jqf-v358-p8g7/GHSA-7jqf-v358-p8g7.json:16

• The PR description says "CVSS v3" is being updated, but the CVSS_V3 entry was removed from the severity array and only CVSS_V4 remains. If a v3 score is still available for this GHSA/CVE, it should be retained/updated here (many advisories include both v3 and v4); otherwise, please update the PR description to reflect that v3 was intentionally removed.

  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H"
    }
  ],

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.