data/reports: unexclude GO-2024-2539.yaml
This is a previously-excluded binary report used
to demonstrate the usage of the new "non_go_versions" field.
Aliases: CVE-2024-23319, GHSA-4fp6-574p-fc35
For golang/vulndb#2539
Change-Id: I06fa51de3e32d78bdc53bf8262e84d92e5af2d95
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568058
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/excluded/GO-2024-2539.yaml b/data/excluded/GO-2024-2539.yaml
deleted file mode 100644
index a3dc1df..0000000
--- a/data/excluded/GO-2024-2539.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-id: GO-2024-2539
-excluded: EFFECTIVELY_PRIVATE
-modules:
- - module: github.com/mattermost/mattermost-plugin-jira
-cves:
- - CVE-2024-23319
-ghsas:
- - GHSA-4fp6-574p-fc35
diff --git a/data/osv/GO-2024-2539.json b/data/osv/GO-2024-2539.json
new file mode 100644
index 0000000..6bec566
--- /dev/null
+++ b/data/osv/GO-2024-2539.json
@@ -0,0 +1,61 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2539",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-23319",
+ "GHSA-4fp6-574p-fc35"
+ ],
+ "summary": "Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira",
+ "details": "Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-plugin-jira",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.1.2-0.20230830170046-f4cf4c6de017"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/mattermost/mattermost-plugin-jira/server",
+ "symbols": [
+ "Plugin.httpOAuth1aDisconnect",
+ "Plugin.initializeRouter"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23319"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2539"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2539.yaml b/data/reports/GO-2024-2539.yaml
new file mode 100644
index 0000000..2fce8b1
--- /dev/null
+++ b/data/reports/GO-2024-2539.yaml
@@ -0,0 +1,24 @@
+id: GO-2024-2539
+modules:
+ - module: github.com/mattermost/mattermost-plugin-jira
+ versions:
+ - fixed: 1.1.2-0.20230830170046-f4cf4c6de017
+ non_go_versions:
+ - fixed: 4.0.0-rc2
+ vulnerable_at: 1.1.2-0.20230829214939-57856e474934
+ packages:
+ - package: github.com/mattermost/mattermost-plugin-jira/server
+ symbols:
+ - Plugin.httpOAuth1aDisconnect
+ - Plugin.initializeRouter
+summary: |-
+ Cross-site request forgery via logout button in
+ github.com/mattermost/mattermost-plugin-jira
+cves:
+ - CVE-2024-23319
+ghsas:
+ - GHSA-4fp6-574p-fc35
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23319
+ - fix: https://github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e
+ - web: https://mattermost.com/security-updates
diff --git a/doc/format.md b/doc/format.md
index 33267cf..b501c6e 100644
--- a/doc/format.md
+++ b/doc/format.md
@@ -103,6 +103,22 @@
module maintainers that do not conform to [Go's module
version conventions](https://go.dev/doc/modules/version-numbers).
+An example is data/reports/GO-2024-2539.yaml, whose vulnerable versions
+are listed as:
+
+```yaml
+versions:
+ - fixed: 1.1.2-0.20230830170046-f4cf4c6de017
+non_go_versions:
+ - fixed: 4.0.0-rc2
+vulnerable_at: 1.1.2-0.20230829214939-57856e474934
+```
+
+The [GHSA](https://github.com/advisories/GHSA-4fp6-574p-fc35) for this report
+lists a fixed version, `4.0.0-rc2`, which is not known to the module proxy.
+To encode this, we list that version as a "non-Go" version, and put the
+pseudo-version corresponding to the fix commit in the regular `versions` section.
+
### `module.vulnerable_at`
type `string`