From 93c92485769ad2a266b0284d38616fcf75efd9d3 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Jan 2022 21:57:31 +0100
Subject: Update tracking for CVE-2018-16472/node-cached-path-relative

This old CVE entry was tracked as NFU, but is actually in
node-cached-path-relative and fixed in 1.0.2 upstream. Update tracking.
Versions having fixed CVE-2018-16472 are then prone to CVE-2021-23518.
---
 data/CVE/list.2018 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/CVE/list.2018 b/data/CVE/list.2018
index ea034eadde..0fa67bdeac 100644
--- a/data/CVE/list.2018
+++ b/data/CVE/list.2018
@@ -13060,7 +13060,10 @@ CVE-2018-16474 (A stored xss in tianma-static module versions &lt;=1.0.4 allows
 CVE-2018-16473 (A path traversal in takeapeek module versions &lt;=0.2.2 allows an att ...)
 	NOT-FOR-US: takeapeek
 CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions &lt;=1.0 ...)
-	NOT-FOR-US: cached-path-relative
+	- node-cached-path-relative 1.0.2-1
+	NOTE: https://hackerone.com/reports/390847
+	NOTE: https://github.com/ashaffer/cached-path-relative/issues/3
+	NOTE: Fixed by: https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0
 CVE-2018-16471 (There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. ...)
 	{DLA-1585-1}
 	- ruby-rack 1.6.4-6 (bug #913005)
-- 
cgit v1.2.3