[GHSA-7xrh-hqfc-g7qr] Hostname verification in Apache ZooKeeper ZKTrustManager...

[kascit]

Updates

• Affected products
• CWEs
• Summary

Comments
Adding missing Maven package, version, and CWE metadata based on the official Apache advisory. It confirms org.apache.zookeeper:zookeeper versions 3.8.0-3.8.5 and 3.9.0-3.9.4 are affected, with patches in 3.8.6 and 3.9.5 respectively.

[Copilot]

Pull request overview

Updates the GHSA advisory metadata for Apache ZooKeeper hostname verification bypass to match the upstream Apache advisory.

Changes:

• Added Maven package coordinates and affected version ranges for ZooKeeper 3.8.x and 3.9.x
• Added a clearer advisory summary
• Added an additional CWE classification (CWE-350)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

"last_known_affected_version_range" is expressed as "<= 3.9.4", which can incorrectly exclude patch/qualifier versions that still fall before the fixed release (e.g., "3.9.4.1" or similar Maven-style versions). To avoid under-reporting affected versions, align this with the fixed boundary (e.g., express it as "< 3.9.5").

[Copilot]

Same issue as above: using "<= 3.8.5" may miss affected patch/qualifier versions that are still prior to the fix. Consider expressing this relative to the fix boundary (e.g., "< 3.8.6") to avoid excluding versions that should be considered affected.

Suggested change

	"last_known_affected_version_range": "<= 3.8.5"
	"last_known_affected_version_range": "< 3.8.6"

[advisory-database]

Hi @kascit! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!