Add md file with description ignored CVE and fix format (#18553)

| Q               | A
|-----------------|-----
| Branch?         | 1.14
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | #18549
| License         | MIT

Details in file AUDIT-IGNORE.md
This commit is contained in:
Rafał Jaskulski 2025-11-17 14:18:56 +01:00 committed by GitHub
commit c7cb75f310
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 21 additions and 1 deletions

15
AUDIT-IGNORE.md Normal file
View file

@ -0,0 +1,15 @@
# AUDIT-IGNORE
This document explains why specific advisories are added to `composer.json``config.audit.ignore`.
**PKSA-gs8r-6kz6-pp56** — `api-platform/core` CVE-2025-31485; affected versions < 3.4.17, 4.0.04.0.21, 4.1.04.1.4 are pulled by Sylius dependency constraints. GraphQL property security grant caching issue allows unauthorized access.
https://www.cve.org/CVERecord?id=CVE-2025-31485
**PKSA-gnn4-pxdg-q76m** — `api-platform/core` CVE-2025-31481; same affected versions as above. GraphQL security bypass via Relay `node` type allows unauthorized entity access.
https://www.cve.org/CVERecord?id=CVE-2025-31481
**PKSA-yhcn-xrg3-68b1** — `twig/twig` CVE-2024-45411; affected versions < 1.44.8, < 2.16.1, < 3.14.0 are pulled by Sylius dependency constraints. Sandbox security checks can be bypassed when templates are loaded in non-sandbox context before include().
https://www.cve.org/CVERecord?id=CVE-2024-45411
**PKSA-2wrf-1xmk-1pky** — `twig/twig` CVE-2024-51755; affected versions < 3.11.2 or 3.12.03.14.0 are pulled by Sylius dependency constraints. Unguarded `__isset()` and array-access in sandbox allows attribute access on Array-like objects.
https://www.cve.org/CVERecord?id=CVE-2024-51755

View file

@ -261,7 +261,12 @@
"symfony/runtime": true
},
"audit": {
"ignore": ["PKSA-gs8r-6kz6-pp56", "PKSA-gnn4-pxdg-q76m", "PKSA-yhcn-xrg3-68b1", "PKSA-2wrf-1xmk-1pky"]
"ignore": [
"PKSA-gs8r-6kz6-pp56",
"PKSA-gnn4-pxdg-q76m",
"PKSA-yhcn-xrg3-68b1",
"PKSA-2wrf-1xmk-1pky"
]
}
},
"extra": {