Google Git
Sign in
go / vulndb / 0ab8d8ec222b4c5fa631e0396953b9e1bed616d2^! / .
commit0ab8d8ec222b4c5fa631e0396953b9e1bed616d2[log] [tgz]
authorTatiana Bradley <tatianabradley@google.com>Thu Feb 29 14:56:54 2024 -0500
committerTatiana Bradley <tatianabradley@google.com>Mon Mar 18 17:29:34 2024 +0000
treea804af0b0eb6dc406b811f203c7705971b1cf206
parent183a48467d5b7bb8036c5a0dcc80b6c0c370476a [diff]
data/reports: unexclude GO-2024-2539.yaml

This is a previously-excluded binary report used
to demonstrate the usage of the new "non_go_versions" field.

Aliases: CVE-2024-23319, GHSA-4fp6-574p-fc35

For golang/vulndb#2539

Change-Id: I06fa51de3e32d78bdc53bf8262e84d92e5af2d95
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568058
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

diff --git a/data/excluded/GO-2024-2539.yaml b/data/excluded/GO-2024-2539.yaml
deleted file mode 100644
index a3dc1df..0000000
--- a/data/excluded/GO-2024-2539.yaml
+++ /dev/null

@@ -1,8 +0,0 @@
-id: GO-2024-2539
-excluded: EFFECTIVELY_PRIVATE
-modules:
-    - module: github.com/mattermost/mattermost-plugin-jira
-cves:
-    - CVE-2024-23319
-ghsas:
-    - GHSA-4fp6-574p-fc35

diff --git a/data/osv/GO-2024-2539.json b/data/osv/GO-2024-2539.json
new file mode 100644
index 0000000..6bec566
--- /dev/null
+++ b/data/osv/GO-2024-2539.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2539",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-23319",
+    "GHSA-4fp6-574p-fc35"
+  ],
+  "summary": "Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira",
+  "details": "Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-plugin-jira",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.2-0.20230830170046-f4cf4c6de017"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/mattermost/mattermost-plugin-jira/server",
+            "symbols": [
+              "Plugin.httpOAuth1aDisconnect",
+              "Plugin.initializeRouter"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23319"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2539"
+  }
+}
\ No newline at end of file

diff --git a/data/reports/GO-2024-2539.yaml b/data/reports/GO-2024-2539.yaml
new file mode 100644
index 0000000..2fce8b1
--- /dev/null
+++ b/data/reports/GO-2024-2539.yaml

@@ -0,0 +1,24 @@
+id: GO-2024-2539
+modules:
+    - module: github.com/mattermost/mattermost-plugin-jira
+      versions:
+        - fixed: 1.1.2-0.20230830170046-f4cf4c6de017
+      non_go_versions:
+        - fixed: 4.0.0-rc2
+      vulnerable_at: 1.1.2-0.20230829214939-57856e474934
+      packages:
+        - package: github.com/mattermost/mattermost-plugin-jira/server
+          symbols:
+            - Plugin.httpOAuth1aDisconnect
+            - Plugin.initializeRouter
+summary: |-
+    Cross-site request forgery via logout button in
+    github.com/mattermost/mattermost-plugin-jira
+cves:
+    - CVE-2024-23319
+ghsas:
+    - GHSA-4fp6-574p-fc35
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23319
+    - fix: https://github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e
+    - web: https://mattermost.com/security-updates

diff --git a/doc/format.md b/doc/format.md
index 33267cf..b501c6e 100644
--- a/doc/format.md
+++ b/doc/format.md

@@ -103,6 +103,22 @@
 module maintainers that do not conform to [Go's module
 version conventions](https://go.dev/doc/modules/version-numbers).
 
+An example is data/reports/GO-2024-2539.yaml, whose vulnerable versions
+are listed as:
+
+```yaml
+versions:
+  - fixed: 1.1.2-0.20230830170046-f4cf4c6de017
+non_go_versions:
+  - fixed: 4.0.0-rc2
+vulnerable_at: 1.1.2-0.20230829214939-57856e474934
+```
+
+The [GHSA](https://github.com/advisories/GHSA-4fp6-574p-fc35) for this report
+lists a fixed version, `4.0.0-rc2`, which is not known to the module proxy.
+To encode this, we list that version as a "non-Go" version, and put the
+pseudo-version corresponding to the fix commit in the regular `versions` section.
+
 ### `module.vulnerable_at`
 
 type `string`