commit 2985a5852e4b366561c3d4ab6c16e6f7e4ba8e71
author Damien Neil <dneil@google.com> Tue Jun 28 12:22:17 2022 -0700
committer Damien Neil <dneil@google.com> Fri Jul 01 20:08:30 2022 +0000
tree 48691c9a4c988fc71ea3ccce2d71959db54d987a
parent 4f2a170576fb0777419dd7d5ec2b69a56d946a14

x/vulndb: add reports/GO-2022-0409.yaml for CVE-2020-15216

Fixes golang/vulndb#0409

Change-Id: I16ffd2ddd0204cdb8703b64d45cce5dd2c015baa
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414818
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>

reports/GO-2022-0409.yaml

diff --git a/reports/GO-2022-0409.yaml b/reports/GO-2022-0409.yaml
new file mode 100644
index 0000000..fffe556
--- /dev/null
+++ b/reports/GO-2022-0409.yaml
@@ -0,0 +1,20 @@
+packages:
+  - module: github.com/russellhaering/goxmldsig
+    symbols:
+      - ValidationContext.findSignature
+    derived_symbols:
+      - ValidationContext.Validate
+    versions:
+      - fixed: 1.1.0
+    vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593
+description: |
+    An attacker can create an XML file which completely bypasses signature validation,
+    passing off an altered file as a signed one.
+cves:
+  - CVE-2020-15216
+ghsas:
+  - GHSA-q547-gmf8-8jr7
+links:
+    commit: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
+    context:
+      - https://github.com/advisories/GHSA-rrfw-hg9m-j47h