CVE submitted via GitHub advisory targets wrong package

I have written three advisories in crossbeam-rs/crossbeam and obtained CVE via GitHub advisory for all of them.

- https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx (package: `crossbeam-channel`)
- https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw (package: `crossbeam-deque`)
- https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926 (package: `crossbeam-utils`)

Each of these advisories is for a different package in the same repository.

However, according to the CVE submitted by GitHub, it appears that these are all treated as `crossbeam` package issues, which causes issues to be reported in the wrong packages or not reported in packages that should be reported (https://github.com/crossbeam-rs/crossbeam/issues/1151).

- https://nvd.nist.gov/vuln/detail/CVE-2020-15254
  > `cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:*:*:*`
- https://nvd.nist.gov/vuln/detail/CVE-2021-32810
  > `cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:*:*:*`
- https://nvd.nist.gov/vuln/detail/CVE-2022-23639
  >  `cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:rust:*:*`


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE submitted via GitHub advisory targets wrong package #5064

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development