x/vulndb: add reports/GO-2022-0409.yaml for CVE-2020-15216
Fixes golang/vulndb#0409
Change-Id: I16ffd2ddd0204cdb8703b64d45cce5dd2c015baa
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414818
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2022-0409.yaml b/reports/GO-2022-0409.yaml
new file mode 100644
index 0000000..fffe556
--- /dev/null
+++ b/reports/GO-2022-0409.yaml
@@ -0,0 +1,20 @@
+packages:
+ - module: github.com/russellhaering/goxmldsig
+ symbols:
+ - ValidationContext.findSignature
+ derived_symbols:
+ - ValidationContext.Validate
+ versions:
+ - fixed: 1.1.0
+ vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593
+description: |
+ An attacker can create an XML file which completely bypasses signature validation,
+ passing off an altered file as a signed one.
+cves:
+ - CVE-2020-15216
+ghsas:
+ - GHSA-q547-gmf8-8jr7
+links:
+ commit: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
+ context:
+ - https://github.com/advisories/GHSA-rrfw-hg9m-j47h