From 8340380c2657aae4fbb108095fc582c9ab3ae4c8 Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Tue, 11 Nov 2025 16:30:43 -0500
Subject: [PATCH] Combined/deleted duplicate httparty gem advisory as part of
 PR#585

---
 gems/httparty/CVE-2024-22049.yml      | 16 +++++++++++++++
 gems/httparty/GHSA-5pq7-52mg-hr42.yml | 29 ---------------------------
 2 files changed, 16 insertions(+), 29 deletions(-)
 delete mode 100644 gems/httparty/GHSA-5pq7-52mg-hr42.yml

diff --git a/gems/httparty/CVE-2024-22049.yml b/gems/httparty/CVE-2024-22049.yml
index 26ff21678a..6fe5a75b4c 100644
--- a/gems/httparty/CVE-2024-22049.yml
+++ b/gems/httparty/CVE-2024-22049.yml
@@ -16,6 +16,21 @@ description: |
 
       Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"
 
+  ## GHSA version of Description
+
+  "multipart/form-data request tampering vulnerability"
+  caused by Content-Disposition "filename" lack of escaping in httparty.
+
+  `httparty/lib/httparty/request` > `body.rb` > `def generate_multipart`
+
+  https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+
+  By exploiting this problem, the following attacks are possible
+
+  * An attack that rewrites the \"name\" field according to the
+    crafted file name, impersonating (overwriting) another field.
+  * Attacks that rewrite the filename extension at the time
+    multipart/form-datais generated by tampering with the filename.
 cvss_v3: 6.5
 patched_versions:
   - ">= 0.21.0"
@@ -25,4 +40,5 @@ related:
     - https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
     - https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
     - https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+    - https://bugzilla.mozilla.org/show_bug.cgi?id=1556711
     - https://github.com/advisories/GHSA-5pq7-52mg-hr42
diff --git a/gems/httparty/GHSA-5pq7-52mg-hr42.yml b/gems/httparty/GHSA-5pq7-52mg-hr42.yml
deleted file mode 100644
index 9f1f3f5adb..0000000000
--- a/gems/httparty/GHSA-5pq7-52mg-hr42.yml
+++ /dev/null
@@ -1,29 +0,0 @@
----
-gem: httparty
-ghsa: 5pq7-52mg-hr42
-url: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
-title: httparty has multipart/form-data request tampering vulnerability
-date: 2023-01-03
-description: |
-  "multipart/form-data request tampering vulnerability"
-  caused by Content-Disposition "filename" lack of escaping in httparty.
-
-  `httparty/lib/httparty/request` > `body.rb` > `def generate_multipart`
-
-  https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
-
-  By exploiting this problem, the following attacks are possible
-
-  * An attack that rewrites the \"name\" field according to the crafted file
-  name, impersonating (overwriting) another field.
-  * Attacks that rewrite the filename extension at the time multipart/form-data
-  is generated by tampering with the filename.
-cvss_v3: 6.5
-patched_versions:
-  - ">= 0.21.0"
-related:
-  url:
-    - https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
-    - https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
-    - https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
-    - https://bugzilla.mozilla.org/show_bug.cgi?id=1556711