data/reports: add vulnerable_at to GO-2021-0073.yaml
Aliases: CVE-2017-17831
Updates golang/vulndb#73
Change-Id: Ic932e738ee35036b6b42707b44ec8d1bfbf1ed5b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462619
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/osv/GO-2021-0073.json b/data/osv/GO-2021-0073.json
index e8fb983..27e080c 100644
--- a/data/osv/GO-2021-0073.json
+++ b/data/osv/GO-2021-0073.json
@@ -33,6 +33,9 @@
{
"path": "github.com/git-lfs/git-lfs/lfsapi",
"symbols": [
+ "Client.NewRequest",
+ "sshAuthClient.Resolve",
+ "sshCache.Resolve",
"sshGetLFSExeAndArgs"
]
}
diff --git a/data/reports/GO-2021-0073.yaml b/data/reports/GO-2021-0073.yaml
index 9290ce5..81fe4d2 100644
--- a/data/reports/GO-2021-0073.yaml
+++ b/data/reports/GO-2021-0073.yaml
@@ -2,10 +2,15 @@
- module: github.com/git-lfs/git-lfs
versions:
- fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
+ vulnerable_at: 2.1.0+incompatible
packages:
- package: github.com/git-lfs/git-lfs/lfsapi
symbols:
- sshGetLFSExeAndArgs
+ derived_symbols:
+ - Client.NewRequest
+ - sshAuthClient.Resolve
+ - sshCache.Resolve
description: |
Arbitrary command execution can be triggered by improperly
sanitized SSH URLs in LFS configuration files. This can be