[GHSA-9h8m-3fm2-qjrq] OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

[xnox]

Updates

• Description
• Summary

Comments
The CVE affects macOS (Darwin) platform only, and thus majority of containers are unaffected.

Ideally an "AND" cpe match is added on the macOS / Darwin platform or OS.

[github]

Hi there @arminru! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[JonathanLEvans]

Hi @xnox,

Thank you for interest in this advisory. The advisory already says that it limited to macOS/Darwin systems. Our advisories are for packages in supported ecosystems. Since there is not macOS/Darwin package in the registry, there is not much more we can do here.

We do not provide CPEs. However, if you would like to correct NIST's CPEs, you can contact NIST via cpe_dictionary@nist.gov.