data/reports: add GO-2023-1268.yaml
Aliases: CVE-2022-48195, GHSA-gvfj-fxx3-j323
Fixes golang/vulndb#1268
Change-Id: I9eb42d8175d913b679066daa3990897eb08594d8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/461645
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/osv/GO-2023-1268.json b/data/osv/GO-2023-1268.json
new file mode 100644
index 0000000..26702b7
--- /dev/null
+++ b/data/osv/GO-2023-1268.json
@@ -0,0 +1,56 @@
+{
+ "id": "GO-2023-1268",
+ "published": "0001-01-01T00:00:00Z",
+ "modified": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2022-48195",
+ "GHSA-gvfj-fxx3-j323"
+ ],
+ "details": "An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.",
+ "affected": [
+ {
+ "package": {
+ "name": "mellium.im/sasl",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.3.1"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1268"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "mellium.im/sasl",
+ "symbols": [
+ "NewClient",
+ "NewServer"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://mellium.im/cve/cve-2022-48195/"
+ },
+ {
+ "type": "FIX",
+ "url": "https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732"
+ }
+ ],
+ "schema_version": "1.3.1"
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-1268.yaml b/data/reports/GO-2023-1268.yaml
new file mode 100644
index 0000000..6b02ecc
--- /dev/null
+++ b/data/reports/GO-2023-1268.yaml
@@ -0,0 +1,24 @@
+modules:
+ - module: mellium.im/sasl
+ versions:
+ - fixed: 0.3.1
+ vulnerable_at: 0.3.0
+ packages:
+ - package: mellium.im/sasl
+ symbols:
+ - NewClient
+ - NewServer
+description: |-
+ An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When
+ performing SCRAM-based SASL authentication, if the remote end advertises support
+ for channel binding, no random nonce is generated (instead, the nonce is empty).
+ This causes authentication to fail in the best case, but (if paired with a remote
+ end that does not validate the length of the nonce) could lead to insufficient
+ randomness being used during authentication.
+cves:
+ - CVE-2022-48195
+ghsas:
+ - GHSA-gvfj-fxx3-j323
+references:
+ - advisory: https://mellium.im/cve/cve-2022-48195/
+ - fix: https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732
