Google Git
Sign in
go / pkgsite / e7143b5d335c09e1a0fef6925a59c455423496d0 / . / tests / screentest / testdata / vulndb / toolchain.json
blob: fabb446c6cced71c991fec3e581964480194de2c [file] [log] [blame]
[
{
"id": "GO-2021-0068",
"published": "2021-04-14T20:04:52Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2021-3115"],
"details": "The go command may execute arbitrary code at build time when using cgo on Windows.\nThis can be triggered by running go get on a malicious module, or any other time\nthe code is built.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.14.14" },
{ "introduced": "1.15.0" },
{ "fixed": "1.15.7" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0068" },
"ecosystem_specific": { "imports": [{ "path": "cmd/go", "goos": ["windows"] }] }
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/284783" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0"
},
{ "type": "REPORT", "url": "https://go.dev/issue/43783" },
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ"
},
{ "type": "FIX", "url": "https://go.dev/cl/284780" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0"
}
],
"credits": [{ "name": "RyotaK" }]
},
{
"id": "GO-2022-0177",
"published": "2022-08-09T17:31:35Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2017-15041"],
"details": "The \"go get\" command allows remote command execution.\n\nUsing custom domains, it is possible to arrange things so that\nexample.com/pkg1 points to a Subversion repository but\nexample.com/pkg1/pkg2 points to a Git repository. If the Subversion\nrepository includes a Git checkout in its pkg2 directory and\nsome other work is done to ensure the proper ordering of operations, \"go\nget\" can be tricked into reusing this Git checkout for the fetch of code\nfrom pkg2. If the Subversion repository's Git checkout has malicious\ncommands in .git/hooks/, they will execute on the system running \"go get\".\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.8.4" },
{ "introduced": "1.9.0" },
{ "fixed": "1.9.1" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0177" },
"ecosystem_specific": { "imports": [{ "path": "cmd/go" }] }
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/68110" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/ec71ee078fd3243b78c0d404c8634bd97e38d7eb"
},
{ "type": "REPORT", "url": "https://go.dev/issue/22125" },
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ"
}
],
"credits": [{ "name": "Simon Rawet" }]
},
{
"id": "GO-2022-0189",
"published": "2022-08-04T21:30:35Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2018-16873"],
"details": "The \"go get\" command is vulnerable to remote code execution when executed\nwith the -u flag and the import path of a malicious Go package, or a\npackage that imports it directly or indirectly.\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode\n(the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).\n\nUsing custom domains, it's possible to arrange things so that a Git\nrepository is cloned to a folder named \".git\" by using a vanity import path\nthat ends with \"/.git\". If the Git repository root contains a \"HEAD\" file,\na \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work\nto ensure the proper ordering of operations, \"go get -u\" can be tricked\ninto considering the parent directory as a repository root, and running Git\ncommands on it. That will use the \"config\" file in the original Git\nrepository root for its configuration, and if that config file contains\nmalicious commands, they will execute on the system running \"go get -u\".\n\nNote that forbidding import paths with a .git element might not be\nsufficient to mitigate this issue, as on certain systems there can be other\naliases for VCS state folders.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.10.6" },
{ "introduced": "1.11.0" },
{ "fixed": "1.11.3" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0189" },
"ecosystem_specific": {
"imports": [{ "path": "cmd/go/internal/get", "symbols": ["downloadPackage"] }]
}
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/154101" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"
},
{ "type": "REPORT", "url": "https://go.dev/issue/29230" },
{ "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0" }
],
"credits": [{ "name": "Etienne Stalmans of Heroku" }]
},
{
"id": "GO-2022-0190",
"published": "2022-08-02T15:44:23Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2018-16874"],
"details": "The \"go get\" command is vulnerable to directory traversal when executed\nwith the import path of a malicious Go package which contains curly brace\n(both '{' and '}' characters).\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode\n(the distinction is documented at\nhttps://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause\nan arbitrary filesystem write, which can lead to code execution.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.10.6" },
{ "introduced": "1.11.0" },
{ "fixed": "1.11.3" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0190" },
"ecosystem_specific": {
"imports": [{ "path": "cmd/go/internal/get", "symbols": ["downloadPackage"] }]
}
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/154101" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"
},
{ "type": "REPORT", "url": "https://go.dev/issue/29230" },
{ "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0" }
],
"credits": [{ "name": "ztz of Tencent Security Platform" }]
},
{
"id": "GO-2022-0201",
"published": "2022-08-09T18:15:41Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2018-6574"],
"details": "The \"go get\" command with cgo is vulnerable to remote command execution\nby leveraging the gcc or clang plugin feature.\n\nWhen cgo is enabled, the build step during \"go get\" invokes the host C\ncompiler, gcc or clang, adding compiler flags specified in the Go source\nfiles. Both gcc and clang support a plugin mechanism in which a\nshared-library plugin is loaded into the compiler, as directed by\ncompiler flags. This means that a Go package repository can contain an\nattack.so file along with a Go source file that says (for example)\n\"// #cgo CFLAGS: -fplugin=attack.so\" causing the attack plugin to be\nloaded into the host C compiler during the build. Gcc and clang plugins are\ncompletely unrestricted in their access to the host system.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.8.7" },
{ "introduced": "1.9.0" },
{ "fixed": "1.9.4" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0201" },
"ecosystem_specific": { "imports": [{ "path": "cmd/go" }] }
}
],
"references": [
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/1dcb5836ad2c60776561da2923c70576ba2eefc6"
},
{ "type": "REPORT", "url": "https://go.dev/issue/23672" },
{ "type": "WEB", "url": "https://groups.google.com/g/golang-nuts/c/Gbhh1NxAjMU" }
],
"credits": [{ "name": "Christopher Brown of Mattermost" }]
},
{
"id": "GO-2022-0203",
"published": "2022-08-09T23:19:00Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2018-7187"],
"details": "The \"go get\" command is vulnerable to remote code execution.\n\nWhen the -insecure command-line option is used, \"go get\" does not validate\nthe import path (get/vcs.go only checks for \"://\" anywhere in the string),\nwhich allows remote attackers to execute arbitrary OS commands via a\ncrafted web site.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.9.5" },
{ "introduced": "1.10.0" },
{ "fixed": "1.10.1" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0203" },
"ecosystem_specific": { "imports": [{ "path": "cmd/go" }] }
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/94603" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc"
},
{ "type": "REPORT", "url": "https://go.dev/issue/23867" },
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ"
}
],
"credits": [{ "name": "Arthur Khashaev" }]
},
{
"id": "GO-2022-0247",
"published": "2022-05-24T20:14:28Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2021-38297"],
"details": "When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,\npassing very large arguments can cause portions of the module to be\noverwritten with data from the arguments due to a buffer overflow error.\n\nIf using wasm_exec.js to execute WASM modules, users will need to replace\ntheir copy (as described in\nhttps://golang.org/wiki/WebAssembly#getting-started) after rebuilding any\nmodules.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.16.9" },
{ "introduced": "1.17.0" },
{ "fixed": "1.17.2" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0247" },
"ecosystem_specific": {
"imports": [
{ "path": "cmd/link", "goos": ["js"], "goarch": ["wasm"], "symbols": ["Link.address"] },
{ "path": "misc/wasm", "goos": ["js"], "goarch": ["wasm"], "symbols": ["run"] }
]
}
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/354571" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4"
},
{ "type": "REPORT", "url": "https://go.dev/issue/48797" },
{ "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A" }
],
"credits": [{ "name": "Ben Lubar" }]
},
{
"id": "GO-2022-0318",
"published": "2022-08-01T22:20:42Z",
"modified": "2022-09-20T15:16:04Z",
"aliases": ["CVE-2022-23773"],
"details": "Incorrect access control is possible in the go command.\n\nThe go command can misinterpret branch names that falsely appear to be\nversion tags. This can lead to incorrect access control if an actor is\nauthorized to create branches but not tags.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.16.14" },
{ "introduced": "1.17.0" },
{ "fixed": "1.17.7" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0318" },
"ecosystem_specific": {
"imports": [
{
"path": "cmd/go/internal/modfetch",
"symbols": ["codeRepo.convert", "codeRepo.validatePseudoVersion"]
}
]
}
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/378400" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb"
},
{ "type": "REPORT", "url": "https://go.dev/issue/35671" },
{ "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" }
]
},
{
"id": "GO-2022-0475",
"published": "2022-07-28T17:24:30Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2020-28366"],
"details": "The go command may execute arbitrary code at build time when cgo is in use.\nThis may occur when running go get on a malicious package, or any other\ncommand that builds untrusted code.\n\nThis can be caused by malicious unquoted symbol name in a linked object\nfile.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.14.12" },
{ "introduced": "1.15.0" },
{ "fixed": "1.15.5" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0475" },
"ecosystem_specific": {
"imports": [
{ "path": "cmd/go", "symbols": ["Builder.cgo"] },
{ "path": "cmd/cgo", "symbols": ["dynimport"] }
]
}
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/269658" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"
},
{ "type": "REPORT", "url": "https://go.dev/issue/42559" },
{ "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM" }
],
"credits": [{ "name": "Chris Brown and Tempus Ex" }]
},
{
"id": "GO-2022-0476",
"published": "2022-07-28T17:24:43Z",
"modified": "2022-10-21T20:22:39Z",
"aliases": ["CVE-2020-28367"],
"details": "The go command may execute arbitrary code at build time when cgo is in use.\nThis may occur when running go get on a malicious package, or any other\ncommand that builds untrusted code.\n\nThis can be caused by malicious gcc flags specified via a cgo directive.\n",
"affected": [
{
"package": { "name": "toolchain", "ecosystem": "Go" },
"ranges": [
{
"type": "SEMVER",
"events": [
{ "introduced": "0" },
{ "fixed": "1.14.12" },
{ "introduced": "1.15.0" },
{ "fixed": "1.15.5" }
]
}
],
"database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0476" },
"ecosystem_specific": {
"imports": [{ "path": "cmd/go", "symbols": ["validCompilerFlags"] }]
}
}
],
"references": [
{ "type": "FIX", "url": "https://go.dev/cl/267277" },
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"
},
{ "type": "REPORT", "url": "https://go.dev/issue/42556" },
{ "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM" }
],
"credits": [{ "name": "Imre Rad" }]
}
]