data/reports: apply vulnreport fix to 1117, 1118, 1130, 1155, 1165, and 1166
Change-Id: I3dd3f463ba0f42e56d85cce7fb545ebc70294fef
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/463112
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/osv/GO-2022-1117.json b/data/osv/GO-2022-1117.json
index c987911..04b931f 100644
--- a/data/osv/GO-2022-1117.json
+++ b/data/osv/GO-2022-1117.json
@@ -1,5 +1,4 @@
{
- "schema_version": "1.3.1",
"id": "GO-2022-1117",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
@@ -93,5 +92,6 @@
"type": "FIX",
"url": "https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81"
}
- ]
+ ],
+ "schema_version": "1.3.1"
}
\ No newline at end of file
diff --git a/data/osv/GO-2022-1118.json b/data/osv/GO-2022-1118.json
index 270cfbe..82ec2c8 100644
--- a/data/osv/GO-2022-1118.json
+++ b/data/osv/GO-2022-1118.json
@@ -1,5 +1,4 @@
{
- "schema_version": "1.3.1",
"id": "GO-2022-1118",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
@@ -54,5 +53,6 @@
"type": "FIX",
"url": "https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d"
}
- ]
+ ],
+ "schema_version": "1.3.1"
}
\ No newline at end of file
diff --git a/data/osv/GO-2022-1130.json b/data/osv/GO-2022-1130.json
index d383350..ef75478 100644
--- a/data/osv/GO-2022-1130.json
+++ b/data/osv/GO-2022-1130.json
@@ -1,5 +1,4 @@
{
- "schema_version": "1.3.1",
"id": "GO-2022-1130",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
@@ -66,5 +65,6 @@
{
"name": "Lei Wan"
}
- ]
+ ],
+ "schema_version": "1.3.1"
}
\ No newline at end of file
diff --git a/data/osv/GO-2022-1155.json b/data/osv/GO-2022-1155.json
index 466d8ac..7a1a78d 100644
--- a/data/osv/GO-2022-1155.json
+++ b/data/osv/GO-2022-1155.json
@@ -1,5 +1,4 @@
{
- "schema_version": "1.3.1",
"id": "GO-2022-1155",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
@@ -103,5 +102,6 @@
{
"name": "@mrd0ll4r (https://github.com/mrd0ll4r)"
}
- ]
+ ],
+ "schema_version": "1.3.1"
}
\ No newline at end of file
diff --git a/data/osv/GO-2022-1165.json b/data/osv/GO-2022-1165.json
index 7aeaf7e..f6dcbfa 100644
--- a/data/osv/GO-2022-1165.json
+++ b/data/osv/GO-2022-1165.json
@@ -1,5 +1,4 @@
{
- "schema_version": "1.3.1",
"id": "GO-2022-1165",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
@@ -68,5 +67,6 @@
{
"name": "Ada Logics, in a fuzzing audit sponsored by CNCF"
}
- ]
+ ],
+ "schema_version": "1.3.1"
}
\ No newline at end of file
diff --git a/data/osv/GO-2022-1166.json b/data/osv/GO-2022-1166.json
index 92a6b6f..dfaf079 100644
--- a/data/osv/GO-2022-1166.json
+++ b/data/osv/GO-2022-1166.json
@@ -1,5 +1,4 @@
{
- "schema_version": "1.3.1",
"id": "GO-2022-1166",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
@@ -58,5 +57,6 @@
{
"name": "Ada Logics, in a fuzzing audit sponsored by CNCF"
}
- ]
+ ],
+ "schema_version": "1.3.1"
}
\ No newline at end of file
diff --git a/data/reports/GO-2022-1117.yaml b/data/reports/GO-2022-1117.yaml
index 4828387..65b0dee 100644
--- a/data/reports/GO-2022-1117.yaml
+++ b/data/reports/GO-2022-1117.yaml
@@ -1,42 +1,42 @@
modules:
- - module: github.com/codenotary/immudb
- versions:
- - fixed: 1.4.1
- vulnerable_at: 1.4.0
- packages:
- - package: github.com/codenotary/immudb/pkg/client/auditor
- symbols:
- - defaultAuditor.audit
- derived_symbols:
- - defaultAuditor.Run
- - package: github.com/codenotary/immudb/pkg/client
- symbols:
- - immuClient.verifiedGet
- - immuClient.VerifiedSet
- - immuClient.VerifiedTxByID
- - immuClient.VerifiedSetReferenceAt
- - immuClient.VerifiedZAddAt
- - immuClient.VerifyRow
- - immuClient._streamVerifiedSet
- - immuClient._streamVerifiedGet
- derived_symbols:
- - immuClient.SafeGet
- - immuClient.SafeReference
- - immuClient.SafeSet
- - immuClient.SafeZAdd
- - immuClient.StreamVerifiedGet
- - immuClient.StreamVerifiedSet
- - immuClient.VerifiedGet
- - immuClient.VerifiedGetAt
- - immuClient.VerifiedGetAtRevision
- - immuClient.VerifiedGetSince
- - immuClient.VerifiedSetReference
- - immuClient.VerifiedZAdd
- - package: github.com/codenotary/immudb/embedded/store
- symbols:
- - ImmuStore.DualProof
- - VerifyLinearProof
- - VerifyDualProof
+ - module: github.com/codenotary/immudb
+ versions:
+ - fixed: 1.4.1
+ vulnerable_at: 1.4.0
+ packages:
+ - package: github.com/codenotary/immudb/pkg/client/auditor
+ symbols:
+ - defaultAuditor.audit
+ derived_symbols:
+ - defaultAuditor.Run
+ - package: github.com/codenotary/immudb/pkg/client
+ symbols:
+ - immuClient.verifiedGet
+ - immuClient.VerifiedSet
+ - immuClient.VerifiedTxByID
+ - immuClient.VerifiedSetReferenceAt
+ - immuClient.VerifiedZAddAt
+ - immuClient.VerifyRow
+ - immuClient._streamVerifiedSet
+ - immuClient._streamVerifiedGet
+ derived_symbols:
+ - immuClient.SafeGet
+ - immuClient.SafeReference
+ - immuClient.SafeSet
+ - immuClient.SafeZAdd
+ - immuClient.StreamVerifiedGet
+ - immuClient.StreamVerifiedSet
+ - immuClient.VerifiedGet
+ - immuClient.VerifiedGetAt
+ - immuClient.VerifiedGetAtRevision
+ - immuClient.VerifiedGetSince
+ - immuClient.VerifiedSetReference
+ - immuClient.VerifiedZAdd
+ - package: github.com/codenotary/immudb/embedded/store
+ symbols:
+ - ImmuStore.DualProof
+ - VerifyLinearProof
+ - VerifyDualProof
description: |
In certain scenarios, a malicious immudb server can provide a
falsified proof that will be accepted by the client SDK signing a
@@ -48,11 +48,11 @@
This vulnerability only affects immudb client SDKs, the immudb server
itself is not affected by this vulnerability.
cves:
- - CVE-2022-36111
+ - CVE-2022-36111
ghsas:
- - GHSA-672p-m5jq-mrh8
+ - GHSA-672p-m5jq-mrh8
references:
- - advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8
- - article: https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake
- - fix: https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6
- - fix: https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81
+ - advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8
+ - article: https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake
+ - fix: https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6
+ - fix: https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81
diff --git a/data/reports/GO-2022-1118.yaml b/data/reports/GO-2022-1118.yaml
index 91ae988..b60b4b7 100644
--- a/data/reports/GO-2022-1118.yaml
+++ b/data/reports/GO-2022-1118.yaml
@@ -1,16 +1,16 @@
modules:
- - module: github.com/codenotary/immudb
- versions:
- - fixed: 1.4.1
- vulnerable_at: 1.4.0
- packages:
- - package: github.com/codenotary/immudb/pkg/client
- symbols:
- - NewImmuClient
- - DefaultOptions
- - immuClient.OpenSession
- derived_symbols:
- - NewClient
+ - module: github.com/codenotary/immudb
+ versions:
+ - fixed: 1.4.1
+ vulnerable_at: 1.4.0
+ packages:
+ - package: github.com/codenotary/immudb/pkg/client
+ symbols:
+ - NewImmuClient
+ - DefaultOptions
+ - immuClient.OpenSession
+ derived_symbols:
+ - NewClient
description: |
A malicious server can trick a client into treating it as a different
server by changing the reported UUID.
@@ -22,9 +22,9 @@
malicious server can therefore change the reported UUID and trick the
client into treating it as a different server.
cves:
- - CVE-2022-39199
+ - CVE-2022-39199
ghsas:
- - GHSA-6cqj-6969-p57x
+ - GHSA-6cqj-6969-p57x
references:
- - advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x
- - fix: https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d
+ - advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x
+ - fix: https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d
diff --git a/data/reports/GO-2022-1130.yaml b/data/reports/GO-2022-1130.yaml
index 098362a..c75b493 100644
--- a/data/reports/GO-2022-1130.yaml
+++ b/data/reports/GO-2022-1130.yaml
@@ -1,28 +1,28 @@
modules:
- - module: github.com/prometheus/exporter-toolkit
- versions:
- - fixed: 0.7.2
- - introduced: 0.8.0
- fixed: 0.8.2
- vulnerable_at: 0.8.1
- packages:
- - package: github.com/prometheus/exporter-toolkit/web
- symbols:
- - webHandler.ServeHTTP
- derived_symbols:
- - Listen
- - ListenAndServe
- - Serve
- - ServeMultiple
+ - module: github.com/prometheus/exporter-toolkit
+ versions:
+ - fixed: 0.7.2
+ - introduced: 0.8.0
+ fixed: 0.8.2
+ vulnerable_at: 0.8.1
+ packages:
+ - package: github.com/prometheus/exporter-toolkit/web
+ symbols:
+ - webHandler.ServeHTTP
+ derived_symbols:
+ - Listen
+ - ListenAndServe
+ - Serve
+ - ServeMultiple
description: |
If an attacker has access to a Prometheus web.yml file and users' bcrypted
passwords, it would be possible to bypass security via the built-in
authentication cache.
cves:
- - CVE-2022-46146
+ - CVE-2022-46146
ghsas:
- - GHSA-7rg2-cxvp-9p7p
+ - GHSA-7rg2-cxvp-9p7p
credit: Lei Wan
references:
- - advisory: https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
- - fix: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
+ - advisory: https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
+ - fix: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
diff --git a/data/reports/GO-2022-1155.yaml b/data/reports/GO-2022-1155.yaml
index 770bb47..7e9d994 100644
--- a/data/reports/GO-2022-1155.yaml
+++ b/data/reports/GO-2022-1155.yaml
@@ -1,45 +1,45 @@
modules:
- - module: github.com/ipfs/go-merkledag
- versions:
- - introduced: 0.4.0
- fixed: 0.8.1
- vulnerable_at: 0.7.0
- packages:
- - package: github.com/ipfs/go-merkledag
- symbols:
- - ProtoNode.SetCidBuilder
- - ProtoNode.marshalImmutable
- - ProtoNode.AddRawLink
- - ProtoNode.UnmarshalJSON
- - ProtoNode.Cid
- - ProtoNode.RawData
- - ProtoNode.Multihash
- - ProtoNode.SetLinks
- derived_symbols:
- - ProtoNode.AddNodeLink
- - ProtoNode.AsBool
- - ProtoNode.AsBytes
- - ProtoNode.AsFloat
- - ProtoNode.AsInt
- - ProtoNode.AsLink
- - ProtoNode.AsString
- - ProtoNode.EncodeProtobuf
- - ProtoNode.IsAbsent
- - ProtoNode.IsNull
- - ProtoNode.Kind
- - ProtoNode.Length
- - ProtoNode.ListIterator
- - ProtoNode.Loggable
- - ProtoNode.LookupByIndex
- - ProtoNode.LookupByNode
- - ProtoNode.LookupBySegment
- - ProtoNode.LookupByString
- - ProtoNode.MapIterator
- - ProtoNode.Marshal
- - ProtoNode.Size
- - ProtoNode.Stat
- - ProtoNode.String
- - ProtoNode.UpdateNodeLink
+ - module: github.com/ipfs/go-merkledag
+ versions:
+ - introduced: 0.4.0
+ fixed: 0.8.1
+ vulnerable_at: 0.7.0
+ packages:
+ - package: github.com/ipfs/go-merkledag
+ symbols:
+ - ProtoNode.SetCidBuilder
+ - ProtoNode.marshalImmutable
+ - ProtoNode.AddRawLink
+ - ProtoNode.UnmarshalJSON
+ - ProtoNode.Cid
+ - ProtoNode.RawData
+ - ProtoNode.Multihash
+ - ProtoNode.SetLinks
+ derived_symbols:
+ - ProtoNode.AddNodeLink
+ - ProtoNode.AsBool
+ - ProtoNode.AsBytes
+ - ProtoNode.AsFloat
+ - ProtoNode.AsInt
+ - ProtoNode.AsLink
+ - ProtoNode.AsString
+ - ProtoNode.EncodeProtobuf
+ - ProtoNode.IsAbsent
+ - ProtoNode.IsNull
+ - ProtoNode.Kind
+ - ProtoNode.Length
+ - ProtoNode.ListIterator
+ - ProtoNode.Loggable
+ - ProtoNode.LookupByIndex
+ - ProtoNode.LookupByNode
+ - ProtoNode.LookupBySegment
+ - ProtoNode.LookupByString
+ - ProtoNode.MapIterator
+ - ProtoNode.Marshal
+ - ProtoNode.Size
+ - ProtoNode.Stat
+ - ProtoNode.String
+ - ProtoNode.UpdateNodeLink
description: |-
A ProtoNode may be modified in such a way as to cause various encode
errors which will trigger a panic on common method calls that don't
@@ -51,14 +51,14 @@
cause the same methods to panic as a new CID is required but cannot
be created.
cves:
- - CVE-2022-23495
+ - CVE-2022-23495
ghsas:
- - GHSA-x39j-h85h-3f46
+ - GHSA-x39j-h85h-3f46
credit: '@mrd0ll4r (https://github.com/mrd0ll4r)'
references:
- - advisory: https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46
- - report: https://github.com/ipfs/kubo/issues/9297
- - report: https://github.com/ipfs/go-merkledag/issues/90
- - fix: https://github.com/ipfs/go-merkledag/pull/91
- - fix: https://github.com/ipfs/go-merkledag/pull/92
- - fix: https://github.com/ipfs/go-merkledag/pull/93
+ - advisory: https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46
+ - report: https://github.com/ipfs/kubo/issues/9297
+ - report: https://github.com/ipfs/go-merkledag/issues/90
+ - fix: https://github.com/ipfs/go-merkledag/pull/91
+ - fix: https://github.com/ipfs/go-merkledag/pull/92
+ - fix: https://github.com/ipfs/go-merkledag/pull/93
diff --git a/data/reports/GO-2022-1165.yaml b/data/reports/GO-2022-1165.yaml
index 4e13840..c8e2244 100644
--- a/data/reports/GO-2022-1165.yaml
+++ b/data/reports/GO-2022-1165.yaml
@@ -1,25 +1,25 @@
modules:
- - module: helm.sh/helm/v3
- versions:
- - fixed: 3.10.3
- vulnerable_at: 3.10.2
- packages:
- - package: helm.sh/helm/v3/pkg/repo
- symbols:
- - IndexFile.MustAdd
- - loadIndex
- - File.Remove
- derived_symbols:
- - ChartRepository.DownloadIndexFile
- - ChartRepository.Index
- - ChartRepository.Load
- - FindChartInAuthAndTLSAndPassRepoURL
- - FindChartInAuthAndTLSRepoURL
- - FindChartInAuthRepoURL
- - FindChartInRepoURL
- - IndexDirectory
- - IndexFile.Add
- - LoadIndexFile
+ - module: helm.sh/helm/v3
+ versions:
+ - fixed: 3.10.3
+ vulnerable_at: 3.10.2
+ packages:
+ - package: helm.sh/helm/v3/pkg/repo
+ symbols:
+ - IndexFile.MustAdd
+ - loadIndex
+ - File.Remove
+ derived_symbols:
+ - ChartRepository.DownloadIndexFile
+ - ChartRepository.Index
+ - ChartRepository.Load
+ - FindChartInAuthAndTLSAndPassRepoURL
+ - FindChartInAuthAndTLSRepoURL
+ - FindChartInAuthRepoURL
+ - FindChartInRepoURL
+ - IndexDirectory
+ - IndexFile.Add
+ - LoadIndexFile
description: |
Applications that use the repo package in the Helm SDK to parse an index
file can suffer a Denial of Service when that input causes a panic that
@@ -35,10 +35,10 @@
violation panic. Helm is not a long running service so the panic will not
affect future uses of the Helm client.
cves:
- - CVE-2022-23525
+ - CVE-2022-23525
ghsas:
- - GHSA-53c4-hhmh-vw5q
+ - GHSA-53c4-hhmh-vw5q
credit: Ada Logics, in a fuzzing audit sponsored by CNCF
references:
- - advisory: https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q
- - fix: https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b
+ - advisory: https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q
+ - fix: https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b
diff --git a/data/reports/GO-2022-1166.yaml b/data/reports/GO-2022-1166.yaml
index a7a5fe4..59db707 100644
--- a/data/reports/GO-2022-1166.yaml
+++ b/data/reports/GO-2022-1166.yaml
@@ -1,15 +1,15 @@
modules:
- - module: helm.sh/helm/v3
- versions:
- - fixed: 3.10.3
- vulnerable_at: 3.10.2
- packages:
- - package: helm.sh/helm/v3/pkg/chartutil
- symbols:
- - ValidateAgainstSingleSchema
- derived_symbols:
- - ToRenderValues
- - ValidateAgainstSchema
+ - module: helm.sh/helm/v3
+ versions:
+ - fixed: 3.10.3
+ vulnerable_at: 3.10.2
+ packages:
+ - package: helm.sh/helm/v3/pkg/chartutil
+ symbols:
+ - ValidateAgainstSingleSchema
+ derived_symbols:
+ - ToRenderValues
+ - ValidateAgainstSchema
description: |
Certain JSON schema validation files can cause a Helm Client to panic,
leading to a possible denial of service.
@@ -24,10 +24,10 @@
panic. Helm is not a long running service so the panic will not affect
future uses of the Helm client.
cves:
- - CVE-2022-23526
+ - CVE-2022-23526
ghsas:
- - GHSA-67fx-wx78-jx33
+ - GHSA-67fx-wx78-jx33
credit: Ada Logics, in a fuzzing audit sponsored by CNCF
references:
- - advisory: https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
- - fix: https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d
+ - advisory: https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
+ - fix: https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d