Skip to content

[GHSA-m494-w24q-6f7w] JDBC Driver for SQL Server has improper input validation issue#7287

Closed
dguerri wants to merge 1 commit intodguerri/advisory-improvement-7287from
dguerri-GHSA-m494-w24q-6f7w
Closed

[GHSA-m494-w24q-6f7w] JDBC Driver for SQL Server has improper input validation issue#7287
dguerri wants to merge 1 commit intodguerri/advisory-improvement-7287from
dguerri-GHSA-m494-w24q-6f7w

Conversation

@dguerri
Copy link
Copy Markdown

@dguerri dguerri commented Apr 3, 2026

Updates

  • Affected products

Comments
As per Microsoft bulletin, this is fixed, regardless of the runtime, in version 13.2.1.

The proposed change prevents false positives due to scanners version comparing logic.

@github-actions github-actions bot changed the base branch from main to dguerri/advisory-improvement-7287 April 3, 2026 07:57
@shelbyc
Copy link
Copy Markdown
Contributor

shelbyc commented Apr 13, 2026

Hi @dguerri, you're correct that the issue is fixed regardless of runtime. However, the VVRs and fixed versions are set the way they are to prevent false positives in Dependabot. The conversation at #6386 has more information about how VVRs work in GitHub, namely how the suffix .jre[number] is interpreted as a prerelease, so eliminating the suffix would incorrectly mark fixed versions as vulnerable.

@shelbyc shelbyc closed this Apr 13, 2026
@github-actions github-actions bot deleted the dguerri-GHSA-m494-w24q-6f7w branch April 13, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dguerri @shelbyc