Improve GHSA-gwrp-pvrq-jmwv

[wtwhite]

Updates

• Affected products
• References

Comments
Several other components are also affected as a result of cloning (copying source code) or shading (copying source code and renaming packages). Proof-of-Vulnerability projects with tests to verify the presence of the CVE can be found here: https://github.com/jensdietrich/xshady-release/.

See #2258, especially #2258 (comment), for more details.

(This PR is a second attempt at #3442, which went wrong due to a bad merge. Thanks @darakian for clarifying how last_affected should be applied.)

[advisory-database]

Hi @wtwhite! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

@wtwhite The additions have been merged. The system threw an error with https://mvnrepository.com/artifact/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-io because of the _ characters in the version numbers. I've worked around the error by setting the vulnerable version range to >= 1.4, <= 1.5. This should generate the same number of alerts as = 1.4._3.

[wtwhite]

Thank you @shelbyc!