{
  "repository": "conductor-oss/conductor",
  "commit_source": "git_rev_parse",
  "commit_sha": "2bea5078f916c0d529cd0f32a55f79425b65a5b8",
  "submitted_target": {
    "target_kind": "docker_image",
    "version": "3.22.3",
    "ref": "v3.22.3",
    "commit_sha": "c969d9b82d4f37e92dffe2fa85da026af32956b3",
    "display": "conductoross/conductor:3.22.3"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "version": "3.30.2",
    "ref": "v3.30.2",
    "commit_sha": "2bea5078f916c0d529cd0f32a55f79425b65a5b8",
    "display": "conductoross/conductor:3.30.2"
  },
  "notes": "The vulnerable version (v3.22.3) was tested via Docker image conductoross/conductor:3.22.3 (git tag v3.22.3 -> c969d9b82d4f37e92dffe2fa85da026af32956b3). The fixed version (v3.30.2) was tested via Docker image conductoross/conductor:3.30.2 (git tag v3.30.2 -> 2bea5078f916c0d529cd0f32a55f79425b65a5b8). Both tag SHAs were resolved via 'git fetch origin tag <tag> --depth=1 && git rev-parse <tag>' from the repo mirror at /data/pruva/project-cache/045381e0-9ff8-419b-8038-f44656c5e37a/repo. The fix commits 87a7d96aabbb706d6e84f812b93da5165028d18f and c691e35e768caeb802c9f06ecdd9674c80081af1 were fetched and their diffs verified; the createNewContext() fix code was confirmed present in the v3.30.2 tag via 'git show v3.30.2:core/.../ScriptEvaluator.java'."
}
