[GHSA-2gh6-wc3m-g37f] hermes-management is vulnerable to RCE due to Apache commons-jxpath

advisories/github-reviewed/2024/09/GHSA-2gh6-wc3m-g37f/GHSA-2gh6-wc3m-g37f.json

@@ -1,16 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2gh6-wc3m-g37f",
-  "modified": "2024-09-17T19:29:24Z",
+  "modified": "2024-09-17T19:29:25Z",
   "published": "2024-09-17T19:29:24Z",
   "aliases": [],
   "summary": "hermes-management is vulnerable to RCE due to Apache commons-jxpath",
   "details": "### Impact\nhermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.\n\n### Patches\nUpgrade Hermes to at least hermes-2.2.9\n\n### References\nhttps://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/\n",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
@@ -27,7 +23,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "0.8.2"
             },
             {
               "fixed": "2.2.9"
@@ -46,6 +42,10 @@
       "type": "WEB",
       "url": "https://github.com/allegro/hermes/commit/72ecc5aa41e37fd614443dd35d9200b66a61afb1"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/allegro/hermes/commit/92d4ad0cf6868ba784707772b78e129fedff7a31"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/allegro/hermes"