Update CVE-2023-51774.yml

postmodern · postmodern · commit 973ee9391883 · 2024-03-02T13:38:12.000-08:00
Mention that versions 1.16.5 and below are vulnerable. The original advisory was published on 2023-12-22, but version 1.16.4 was published on 2023-12-27. The diffs of versions 1.16.4 and 1.16.5 do not appear to contain any significant changes to the logic which would indicate patching.
diff --git a/gems/json-jwt/CVE-2023-51774.yml b/gems/json-jwt/CVE-2023-51774.yml
@@ -6,13 +6,14 @@ url: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
 title: json-jwt allows bypass of identity checks via a sign/encryption confusion attack
 date: 2024-02-29
 description: |
-  The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows
+  The json-jwt (aka JSON::JWT) gem versions 1.16.5 and below sometimes allows
   bypass of identity checks via a sign/encryption confusion attack.
   For example, JWE can sometimes be used to bypass JSON::JWT.decode.
-notes: Never patched
+notes: Not patched yet
 related:
   url:
     - https://nvd.nist.gov/vuln/detail/CVE-2023-51774
     - https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
     - https://github.com/advisories/GHSA-c8v6-786g-vjx6
-# not CVSS number, latest gem version is 1.16.5
+# no CVSS score yet. advisory was published before version 1.16.4 was released.
+# versions 1.16.4 and 1.16.5 do not seem patched.
